> ## Documentation Index
> Fetch the complete documentation index at: https://docs.toktra.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# HRIS

> Connect Workday or BambooHR to automate the employee offboarding pipeline when a termination is detected.

Toktra's HRIS integration detects employee terminations from your HR system and automatically triggers the offboarding pipeline: a 14-day pre-departure anomaly scan, a tamper-proof audit snapshot, and then full access lockout. Approved personal usage reimbursements can also be exported to Expensify or SAP Concur.

## Supported systems

<CardGroup cols={2}>
  <Card title="Workday" icon="building">
    Polling integration — Toktra queries the Workday REST API on a configurable interval to detect termination events.
  </Card>

  <Card title="BambooHR" icon="leaf">
    Webhook integration — BambooHR sends termination events to Toktra in real time, verified with HMAC-SHA256.
  </Card>
</CardGroup>

***

## Why connect your HRIS

Without HRIS integration, offboarding an employee from all LLM tools requires a manual trigger in the Toktra dashboard. With HRIS integration:

* Terminations are detected automatically without IT intervention
* The 14-day anomaly scan window starts immediately on the employee's last day
* An audit snapshot is generated and stored in S3 before access is revoked
* The lockout pipeline fires within minutes of the termination event being detected

<Info>
  Toktra's offboarding pipeline revokes access to all connected LLM providers (OpenAI, Anthropic, etc.), pushes an Ed25519 lock command to the employee's device agents, and generates a tamper-proof PDF audit snapshot stored in S3 with Object Lock (7-year retention, COMPLIANCE mode).
</Info>

***

## Configuring Workday

<Steps>
  <Step title="Open HRIS settings">
    Go to **Integrations → HRIS** (`/integrations/hris`) in your Toktra dashboard. Click **Connect Workday**.
  </Step>

  <Step title="Enter Workday credentials">
    Provide your Workday REST API base URL, username, and password. Toktra uses these to poll the Workers endpoint for termination status changes.

    | Field        | Description                                                                                                             |
    | ------------ | ----------------------------------------------------------------------------------------------------------------------- |
    | **Base URL** | Your Workday REST API base URL, e.g. `https://wd2-impl-services1.workday.com/ccx/service/company/Human_Resources/v40.0` |
    | **Username** | Workday integration system user (ISU) credentials                                                                       |
    | **Password** | Password for the ISU account                                                                                            |

    ```bash title="Environment variables" theme={null}
    WORKDAY_BASE_URL=https://wd2-impl-services1.workday.com/ccx/service/company/Human_Resources/v40.0
    WORKDAY_USERNAME=toktra-isu
    WORKDAY_PASSWORD=your-password
    ```
  </Step>

  <Step title="Set polling interval">
    Choose how often Toktra polls Workday for termination events. The default is **1 hour**. Shorter intervals reduce the window between a termination and lockout, but increase API calls to Workday.

    <Note>
      Workday polling runs as a Celery beat task (`poll_workday_terminations`). The interval is configurable but cannot be set below 15 minutes to stay within Workday API rate limits.
    </Note>
  </Step>

  <Step title="Save and test">
    Click **Save**. Toktra immediately attempts a test poll to verify connectivity and displays the response status.
  </Step>
</Steps>

***

## Configuring BambooHR

BambooHR pushes termination events to Toktra in real time using webhooks.

<Steps>
  <Step title="Get your Toktra webhook URL">
    Go to **Integrations → HRIS** and click **Connect BambooHR**. Copy the webhook endpoint URL shown on the page:

    ```
    https://api.toktra.io/v1/hris/bamboohr/webhook/{org_id}
    ```
  </Step>

  <Step title="Configure the webhook in BambooHR">
    In BambooHR, go to **Account → Webhooks** and create a new webhook:

    * **Post to URL**: paste the Toktra webhook URL above
    * **Monitor these fields**: `employmentStatus`
    * **When would you like to be notified**: When a value changes
    * **Secret key**: generate a strong random secret (minimum 32 characters)
  </Step>

  <Step title="Enter the BambooHR secret in Toktra">
    Back in Toktra, enter your BambooHR subdomain, API key, and the webhook secret you set in BambooHR:

    | Field              | Description                                                        |
    | ------------------ | ------------------------------------------------------------------ |
    | **Subdomain**      | Your BambooHR subdomain, e.g. `company` for `company.bamboohr.com` |
    | **API key**        | A BambooHR API key with read access to employee records            |
    | **Webhook secret** | The secret key you entered in BambooHR                             |

    ```bash title="Environment variables" theme={null}
    BAMBOOHR_SUBDOMAIN=company
    BAMBOOHR_API_KEY=your-api-key
    BAMBOOHR_WEBHOOK_SECRET=your-webhook-secret
    ```
  </Step>

  <Step title="Save">
    Click **Save**. Toktra verifies the configuration and starts listening for webhook events.
  </Step>
</Steps>

### BambooHR webhook verification

Every webhook request from BambooHR includes an `X-BambooHR-Signature` header. Toktra computes an HMAC-SHA256 digest of the raw request body using `BAMBOOHR_WEBHOOK_SECRET` and rejects any request where the signatures don't match.

<Warning>
  Do not expose your `BAMBOOHR_WEBHOOK_SECRET`. Rotate it immediately in both BambooHR and Toktra if you suspect it has been compromised.
</Warning>

***

## What happens on termination detection

When Toktra detects an employee termination (from either Workday or BambooHR), it executes the offboarding pipeline in three phases:

<Steps>
  <Step title="14-day pre-departure anomaly scan">
    Toktra runs an anomaly detection analysis over the 14 days before the termination date. This flags unusual usage patterns — large data extractions, access to atypical models, or off-hours activity — that may indicate data exfiltration. Results are attached to the offboarding audit record.
  </Step>

  <Step title="Audit snapshot generation">
    Toktra generates a tamper-proof PDF audit snapshot containing the employee's full LLM usage history, policy violations, and anomaly scan results. The PDF is:

    * Signed with a SHA-256 digest
    * Stored in S3 with **Object Lock** (COMPLIANCE mode, 7-year retention)
    * Linked to the employee's offboarding record in Toktra

    The S3 key follows the pattern `offboarding-snapshots/{org_id}/{user_id}/{timestamp}.pdf`.
  </Step>

  <Step title="Access lockout">
    After the audit snapshot is confirmed uploaded, Toktra:

    * Revokes the employee's API keys and licenses from all connected LLM providers (OpenAI, Anthropic, Azure OpenAI, etc.)
    * Sends an Ed25519-signed lock command to all enrolled device agents on the employee's managed devices
    * Invalidates all active Toktra sessions for the user
  </Step>
</Steps>

<Info>
  The entire pipeline typically completes within 2–5 minutes of a termination event being received. Workday polling adds up to one polling interval of latency (default: 1 hour).
</Info>

***

## Viewing HRIS sync events

Every termination event and pipeline execution is recorded in the HRIS sync log:

1. Go to **Integrations → HRIS → Sync log**
2. Each entry shows the employee, termination date, event source (Workday or BambooHR), and pipeline status
3. Click an entry to see the full timeline: event received → anomaly scan complete → snapshot uploaded → lockout triggered

You can also download the audit snapshot PDF directly from the sync log entry.

***

## Exporting reimbursements

Approved personal usage reimbursement requests can be exported to your payroll or expense system:

<Tabs>
  <Tab title="Expensify">
    Configure your Expensify partner credentials in **Settings → Reimbursements → Export**:

    ```bash title="Environment variables" theme={null}
    EXPENSIFY_PARTNER_ID=your-partner-id
    EXPENSIFY_PARTNER_USER_SECRET=your-user-secret
    ```

    Approved reimbursements are exported as expense reports via the Expensify Integration Server API. Go to **Reimbursements → Export** and click **Export to Expensify** to trigger an export.
  </Tab>

  <Tab title="SAP Concur">
    Configure your Concur OAuth credentials in **Settings → Reimbursements → Export**:

    ```bash title="Environment variables" theme={null}
    CONCUR_CLIENT_ID=your-client-id
    CONCUR_CLIENT_SECRET=your-client-secret
    CONCUR_BASE_URL=https://us.api.concursolutions.com
    ```

    Approved reimbursements are submitted as expense entries via the Concur Expense API. Go to **Reimbursements → Export** and click **Export to Concur** to trigger an export.
  </Tab>
</Tabs>

Exports are processed asynchronously. You can monitor export status in **Reimbursements → Export history**. Each export job shows the number of requests exported, the destination system, and any errors.

<Note>
  Only reimbursements with status `approved` are included in exports. Requests in `pending` or `rejected` status are skipped. Once exported, a request's status updates to `exported` and it won't be included in future export runs.
</Note>
