> ## Documentation Index
> Fetch the complete documentation index at: https://docs.toktra.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Employee offboarding

> Instantly revoke a departing employee's access to all LLM tools with a one-click lockout and tamper-proof audit trail.

When an employee leaves your organization, Toktra ensures their access to every LLM tool is revoked immediately — from OpenAI API keys to active agent connections on enrolled devices. This guide covers manual lockout from the dashboard, the automated Okta integration, HRIS-driven offboarding, and reviewing the audit record after the fact.

## Manual one-click lockout

The **Emergency Lockout** page lets an admin revoke a user's LLM access in a single click, without waiting for HRIS or IdP automation.

<Steps>
  <Step title="Navigate to Emergency Lockout">
    Go to **Lockout** in the sidebar.
  </Step>

  <Step title="Find the employee">
    Locate the user by email in the table. Active employees show a green **Active** badge.
  </Step>

  <Step title="Initiate the lockout">
    Click **Lock Out** next to the user's name.
  </Step>

  <Step title="Confirm">
    A confirmation dialog appears. Click **Confirm** to proceed. The lockout is irreversible without manual admin intervention.
  </Step>
</Steps>

<Warning>
  Triggering a lockout immediately begins the revocation pipeline. The user loses LLM access within seconds. This action is logged and cannot be undone without a deliberate admin override.
</Warning>

## What happens during a lockout

When a lockout is triggered (manually or automatically), Toktra executes the following steps in order:

<Steps>
  <Step title="Provider access revocation">
    Toktra calls provider admin APIs to revoke the user's organization membership and any API access tied to their identity (OpenAI, Anthropic, and others connected to your account).
  </Step>

  <Step title="Device lock command">
    A signed lock command is sent to all enrolled devices belonging to the user. Each agent receives the command and immediately blocks outbound LLM connections.
  </Step>

  <Step title="Audit snapshot generation">
    Toktra generates a **tamper-proof audit snapshot PDF** containing:

    * The user's identity and lockout timestamp
    * All LLM usage events in the 14-day pre-departure window
    * The revocation confirmation from each provider
    * A chain-of-custody record with RFC 3161 timestamps
  </Step>

  <Step title="S3 upload with Object Lock">
    The audit snapshot PDF is uploaded to the `toktra-audit-logs` S3 bucket with **Object Lock** in COMPLIANCE mode and a 7-year retention period. The snapshot cannot be modified or deleted until the retention period expires.
  </Step>
</Steps>

## Chain of custody

The audit snapshot is backed by a **chain-of-custody record** — an append-only, tamper-evident audit trail. Each node references its parent, creating an immutable directed acyclic graph. No record can be modified or deleted after it is written.

RFC 3161 timestamps from a trusted timestamp authority (DigiCert) provide cryptographic non-repudiation for every entry. This means that even Toktra itself cannot retroactively alter what was recorded at the time of lockout.

## Reviewing the audit snapshot

After a lockout, you can access the audit snapshot to verify what was captured.

<Steps>
  <Step title="Navigate to Legal or HRIS Offboarding">
    Go to **Legal → Legal Holds** (`LegalHoldPage`) or call `GET /v1/hris/offboarding/{snapshot_id}` via the API.
  </Step>

  <Step title="Locate the snapshot">
    Find the snapshot by user ID or lockout timestamp.
  </Step>

  <Step title="Download the PDF">
    Call `GET /v1/hris/offboarding/{snapshot_id}/pdf`. The response returns a presigned S3 URL valid for one hour. Download the PDF and verify the RFC 3161 timestamp to confirm the document has not been altered.
  </Step>
</Steps>

## Okta integration: automatic lockout on deactivation

Toktra integrates with Okta to trigger lockouts automatically when a user is deactivated in your IdP.

**How it works:**

1. Configure an Okta event hook to send `user.lifecycle.deactivate` events to the Toktra webhook endpoint provided in **Settings → Integrations → Okta**.
2. Toktra receives the webhook, verifies the HMAC-SHA256 signature, and initiates the lockout pipeline for the deactivated user.
3. The full lockout sequence (provider revocation, device lock commands, audit snapshot) runs automatically.

<Note>
  The Okta webhook fires on user deactivation, not on user deletion. Deactivation is the recommended action in Okta for offboarding, as it preserves the user record in the IdP for audit purposes.
</Note>

<Note>
  The webhook endpoint URL and signing secret are displayed in **Settings → Integrations → Okta** after you save the integration. Copy the signing secret into the Okta event hook configuration.
</Note>

## HRIS integration: automated detection of terminations

For organizations using Workday or BambooHR, Toktra can automatically detect employee terminations and trigger the offboarding pipeline without any manual dashboard action.

### Workday

Toktra polls the Workday REST API hourly. When a termination event is detected, the offboarding pipeline starts automatically.

Configure the Workday integration at `PUT /v1/hris/config`:

```json theme={null}
{
  "provider": "workday",
  "workday_base_url": "https://wd2-impl-services1.workday.com/ccx/service/your-tenant",
  "workday_username": "integration-user",
  "workday_password": "..."
}
```

### BambooHR

Toktra receives termination events from BambooHR via webhook. The endpoint at `POST /v1/hris/webhook/bamboohr` verifies the `X-BambooHR-Signature` HMAC-SHA256 header before processing.

Configure the BambooHR integration at `PUT /v1/hris/config`:

```json theme={null}
{
  "provider": "bamboohr",
  "bamboohr_subdomain": "yourcompany",
  "bamboohr_api_key": "...",
  "bamboohr_webhook_secret": "..."
}
```

## 14-day pre-departure anomaly detection

Regardless of whether the lockout is triggered manually, via Okta, or via HRIS, Toktra runs a **14-day pre-departure anomaly detection** window before generating the audit snapshot.

Toktra analyzes the user's LLM usage in the 14 days prior to the lockout date and flags:

* Unusual spikes in token volume
* Access to models or providers not typically used by the employee
* Off-hours activity patterns
* Large data transfers to external LLM endpoints

Anomalies detected in this window are included in the audit snapshot PDF, giving your security team a head start on any investigation.

<Tip>
  For high-risk roles (e.g., engineers with access to sensitive codebases), consider using the HRIS integration's pre-departure detection in combination with the GitHub IP Risk dashboard to correlate anomalous LLM usage with unusual code commit activity.
</Tip>
