Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.toktra.dev/llms.txt

Use this file to discover all available pages before exploring further.

Toktra’s HRIS integration detects employee terminations from your HR system and automatically triggers the offboarding pipeline: a 14-day pre-departure anomaly scan, a tamper-proof audit snapshot, and then full access lockout. Approved personal usage reimbursements can also be exported to Expensify or SAP Concur.

Supported systems

Workday

Polling integration — Toktra queries the Workday REST API on a configurable interval to detect termination events.

BambooHR

Webhook integration — BambooHR sends termination events to Toktra in real time, verified with HMAC-SHA256.

Why connect your HRIS

Without HRIS integration, offboarding an employee from all LLM tools requires a manual trigger in the Toktra dashboard. With HRIS integration:
  • Terminations are detected automatically without IT intervention
  • The 14-day anomaly scan window starts immediately on the employee’s last day
  • An audit snapshot is generated and stored in S3 before access is revoked
  • The lockout pipeline fires within minutes of the termination event being detected
Toktra’s offboarding pipeline revokes access to all connected LLM providers (OpenAI, Anthropic, etc.), pushes an Ed25519 lock command to the employee’s device agents, and generates a tamper-proof PDF audit snapshot stored in S3 with Object Lock (7-year retention, COMPLIANCE mode).

Configuring Workday

1

Open HRIS settings

Go to Integrations → HRIS (/integrations/hris) in your Toktra dashboard. Click Connect Workday.
2

Enter Workday credentials

Provide your Workday REST API base URL, username, and password. Toktra uses these to poll the Workers endpoint for termination status changes.
FieldDescription
Base URLYour Workday REST API base URL, e.g. https://wd2-impl-services1.workday.com/ccx/service/company/Human_Resources/v40.0
UsernameWorkday integration system user (ISU) credentials
PasswordPassword for the ISU account
Environment variables
WORKDAY_BASE_URL=https://wd2-impl-services1.workday.com/ccx/service/company/Human_Resources/v40.0
WORKDAY_USERNAME=toktra-isu
WORKDAY_PASSWORD=your-password
3

Set polling interval

Choose how often Toktra polls Workday for termination events. The default is 1 hour. Shorter intervals reduce the window between a termination and lockout, but increase API calls to Workday.
Workday polling runs as a Celery beat task (poll_workday_terminations). The interval is configurable but cannot be set below 15 minutes to stay within Workday API rate limits.
4

Save and test

Click Save. Toktra immediately attempts a test poll to verify connectivity and displays the response status.

Configuring BambooHR

BambooHR pushes termination events to Toktra in real time using webhooks.
1

Get your Toktra webhook URL

Go to Integrations → HRIS and click Connect BambooHR. Copy the webhook endpoint URL shown on the page:
https://api.toktra.io/v1/hris/bamboohr/webhook/{org_id}
2

Configure the webhook in BambooHR

In BambooHR, go to Account → Webhooks and create a new webhook:
  • Post to URL: paste the Toktra webhook URL above
  • Monitor these fields: employmentStatus
  • When would you like to be notified: When a value changes
  • Secret key: generate a strong random secret (minimum 32 characters)
3

Enter the BambooHR secret in Toktra

Back in Toktra, enter your BambooHR subdomain, API key, and the webhook secret you set in BambooHR:
FieldDescription
SubdomainYour BambooHR subdomain, e.g. company for company.bamboohr.com
API keyA BambooHR API key with read access to employee records
Webhook secretThe secret key you entered in BambooHR
Environment variables
BAMBOOHR_SUBDOMAIN=company
BAMBOOHR_API_KEY=your-api-key
BAMBOOHR_WEBHOOK_SECRET=your-webhook-secret
4

Save

Click Save. Toktra verifies the configuration and starts listening for webhook events.

BambooHR webhook verification

Every webhook request from BambooHR includes an X-BambooHR-Signature header. Toktra computes an HMAC-SHA256 digest of the raw request body using BAMBOOHR_WEBHOOK_SECRET and rejects any request where the signatures don’t match.
Do not expose your BAMBOOHR_WEBHOOK_SECRET. Rotate it immediately in both BambooHR and Toktra if you suspect it has been compromised.

What happens on termination detection

When Toktra detects an employee termination (from either Workday or BambooHR), it executes the offboarding pipeline in three phases:
1

14-day pre-departure anomaly scan

Toktra runs an anomaly detection analysis over the 14 days before the termination date. This flags unusual usage patterns — large data extractions, access to atypical models, or off-hours activity — that may indicate data exfiltration. Results are attached to the offboarding audit record.
2

Audit snapshot generation

Toktra generates a tamper-proof PDF audit snapshot containing the employee’s full LLM usage history, policy violations, and anomaly scan results. The PDF is:
  • Signed with a SHA-256 digest
  • Stored in S3 with Object Lock (COMPLIANCE mode, 7-year retention)
  • Linked to the employee’s offboarding record in Toktra
The S3 key follows the pattern offboarding-snapshots/{org_id}/{user_id}/{timestamp}.pdf.
3

Access lockout

After the audit snapshot is confirmed uploaded, Toktra:
  • Revokes the employee’s API keys and licenses from all connected LLM providers (OpenAI, Anthropic, Azure OpenAI, etc.)
  • Sends an Ed25519-signed lock command to all enrolled device agents on the employee’s managed devices
  • Invalidates all active Toktra sessions for the user
The entire pipeline typically completes within 2–5 minutes of a termination event being received. Workday polling adds up to one polling interval of latency (default: 1 hour).

Viewing HRIS sync events

Every termination event and pipeline execution is recorded in the HRIS sync log:
  1. Go to Integrations → HRIS → Sync log
  2. Each entry shows the employee, termination date, event source (Workday or BambooHR), and pipeline status
  3. Click an entry to see the full timeline: event received → anomaly scan complete → snapshot uploaded → lockout triggered
You can also download the audit snapshot PDF directly from the sync log entry.

Exporting reimbursements

Approved personal usage reimbursement requests can be exported to your payroll or expense system:
Configure your Expensify partner credentials in Settings → Reimbursements → Export:
Environment variables
EXPENSIFY_PARTNER_ID=your-partner-id
EXPENSIFY_PARTNER_USER_SECRET=your-user-secret
Approved reimbursements are exported as expense reports via the Expensify Integration Server API. Go to Reimbursements → Export and click Export to Expensify to trigger an export.
Exports are processed asynchronously. You can monitor export status in Reimbursements → Export history. Each export job shows the number of requests exported, the destination system, and any errors.
Only reimbursements with status approved are included in exports. Requests in pending or rejected status are skipped. Once exported, a request’s status updates to exported and it won’t be included in future export runs.