connectors
The IAM surface area, in one place.
First-class connectors for the systems most teams live in. Generic SCIM and webhook adapters for the rest. Nothing browser-automated unless a vendor refuses to ship an API.
live now
Production-ready integrations.
These connectors run real API calls against live tenants. Each one ships with documented permissions scope, rotation runbook, and integration tests.
Okta
Identity
deactivate · revoke sessions · delete user · reinstate
live
Slack
Seat · HITL approvals
deactivate seat · post approval messages · DM notifications
live
beta
In active validation.
Code-complete and unit-tested. They issue real API calls, but haven't cleared the end-to-end validation against a live vendor tenant that we require before calling anything GA.
Microsoft 365 / Entra ID
Identity · Licenses
block sign-in · revoke sessions · delete user · reclaim license
beta
GitHub
Org · PAT
remove from org · revoke PAT · revoke SSH keys
beta
Zoom
Seat
deactivate · delete user · reclaim seat
beta
Salesforce
License reclamation
deactivate · freeze license (30d grace)
beta
BambooHR
HRIS · source of truth
termination lookup · employee status verify
beta
Workday
HRIS · source of truth
termination lookup · status verify · manager-aware approval · authoritative effective date
beta
Google Workspace
Identity · Licenses
suspend · revoke sessions · delete user · reinstate
beta
on the roadmap
Coming when a customer asks.
Scoped, designed, not yet built. We prioritize by which customer signs first.
Rippling
HRIS · source of truth
termination lookup · status verify
planned
Jira / Atlassian
Seat · ticket reassign
deactivate · reassign open tickets
planned
AWS IAM Identity Center
Cloud · permission sets
disable · remove from permission sets
planned
lifecycle coverage
Not just leavers.
The connectors above drive the whole joiner / mover / leaver lifecycle plus the governance around it. Offboarding is validated end-to-end against a live tenant; the rest is code-complete and in active validation, dark behind feature flags until each connector is flipped live.
Offboarding (Leaver)
Lifecycle
soft-deactivate · reclaim licenses · deferred hard delete · reinstate window
live
Provisioning (Joiner)
Lifecycle
birthright templates by role + dept · privileged grants force HITL · no-template → human
beta
Role change (Mover)
Lifecycle
live-read diff · grant-before-revoke · base access preserved · ad-hoc flagged
beta
Access reviews (UAR)
Governance
roster snapshot · Slack attestation · surgical revoke · CSV evidence
beta
Scheduled offboarding
Governance
future-dated, held at the gatekeeper · HRIS re-verify before it fires
beta
Data transfer + SIEM export
Governance
Drive/OneDrive/mailbox handoff before delete · stream audit chain to your SIEM
beta
how a new integration works
What it takes to add yours.
A connector is a small Python module that exposes three verbs: soft_revoke, hard_revoke, and reinstate. We add one to the codebase, write an integration test against the vendor's sandbox, register it in the Vault credential schema, and ship. A typical first-class connector takes 1–2 days. SCIM-based connectors are essentially free.
design partners · q3 2026
Need a connector that's not listed?
Tell us your stack on the pilot form. If we already build one in the next two weeks anyway, you get it free. If not, we'll quote it.