Documentation Index
Fetch the complete documentation index at: https://docs.axiomancer.io/llms.txt
Use this file to discover all available pages before exploring further.
Microsoft Teams, Atlassian, and Workday HRIS connectors
Three new connectors are live on the Layer integrations catalog:- Microsoft Teams — discovers Teams as a SaaS app and inventories every user with their last activity, so dormant Teams licenses surface alongside the rest of your seat data.
- Atlassian (Jira & Confluence) — one OAuth sign-in covers both products. Per-user last-active times feed access reviews and offboarding, and each connected Atlassian product (Jira, Confluence, and the rest) shows up as its own SaaS app in the inventory. See Atlassian integration.
- Workday HRIS — paginated worker sync with department, cost center, and termination data. Termination events flow straight into offboarding tasks so departing employees trigger their per-app action plan automatically.
Notion connector
A new Notion integration is live in the Layer integrations catalog. Connect a Notion workspace through OAuth and Layer surfaces the workspace itself as a SaaS app and inventories every workspace member as a Layer user, so Notion seats and members flow into access reviews and offboarding alongside the rest of your stack. Workspaces connected without the Notionread_user scope still register as a SaaS app — granting the scope unlocks the per-member roster on the next sync.Gmail receipt scanner
A new Gmail Receipt Scanner connector now reads vendor receipts directly from a connected Gmail mailbox and turns them into Layer assets. The initial scan covers the trailing 12 months of mail, parses the full email body for vendor, amount, and renewal terms, and adds discovered SaaS subscriptions to your asset inventory automatically — no manual contract upload required for anything that lands in your inbox. Companion support for Microsoft 365 mail is enabled at the same time, so M365 Mail and Gmail receipts both flow into the same asset inventory and feed contracts and spend management downstream.Asset bundles with one-click assignment
The Assets → Bundles page lets you define reusable sets of assets — for example, a “New Hire Bundle” with a laptop, monitor, and peripherals — and assign the whole bundle to a user in one click. Each bundle template carries a per-item monthly cost rollup so you can see the total recurring cost of provisioning the bundle before you assign it, and an assignment record is written for every bundle issued so finance and IT share a single view of who has what. Bundles are scoped per workspace and integrate with the existing asset inventory and offboarding flows.Manual asset creation and CSV bulk import
The Assets page now supports two ways to add inventory without waiting for a connector sync:- Create asset — a modal for adding a single asset (SaaS app, device, or user-assigned record) by hand, with full status and metadata fields.
- CSV import — bulk-load up to 1,000 assets per file, with column-level validation and a preview before commit.
Sign-in consolidates on Auth0 Universal Login
The Layer login and sign-up pages now route every sign-in through Auth0 Universal Login. Both pages render a single primary action — Sign in on/login and Create account on /signup — that hands off to Auth0, where you complete authentication with Google Workspace, Microsoft, or any other identity provider configured on your tenant. After Auth0 confirms the session, Layer mints the matching tenant session and lands you on the dashboard with everything wired up — no second sign-in.The previous in-page email/password form and the standalone Continue with Google Workspace button have been retired. Existing accounts — including those originally created with email and password — continue to sign in through Auth0 with the same email address and the corresponding Auth0 credential, and retain all of their organization data, integrations, and history. New accounts continue straight to Create your workspace after their first Auth0 sign-in. The ?next= redirect parameter on /login is preserved through the Auth0 round-trip, so deep links into the dashboard still resolve to the originally requested path. See Getting started.Azure connector links resource groups to their subscription
The Azure integration now emits a HostedOn relationship from every discovered resource group to its parent subscription, with the resource group’slocation stored as relationship metadata. Existing Azure connections pick up the new edges on their next sync — no reconnection or permission change required. The result is a connected view of how each resource group rolls up to the subscription that owns it, so access reviews and compliance evidence in Axiom Codex can scope role-assignment blast radius down the Azure hierarchy without manually stitching subscriptions to their resource groups.GitHub connector now surfaces Copilot seats and per-org members
The GitHub integration now emits each connected GitHub organization as its own SaaS app, lists every org member as a Layer user with last-active timestamps, and records a Copilot license entry for each provisioned seat on Copilot Business or Enterprise plans. Organizations without Copilot are skipped silently. The result is a more complete picture of GitHub seat utilization in the asset inventory and a direct feed for compliance evidence on developer-tool access.Okta connector now maps every user to their assigned apps
The Okta integration now emits a SaaS app for every Okta-managed application and a per-user assignment for every user→app pairing it discovers, alongside the existing user and group sync. Each assignment records when the user was first granted access, so the inventory surfaces which Okta-managed apps each employee actually has access to, and which assignments haven’t been touched. Useful for spotting dormant accounts, rightsizing licenses ahead of an access review, and feeding Okta-managed SaaS into offboarding automatically.Inactive-user flagging on Microsoft 365 / Entra ID
The Microsoft 365 integration now reads Entra ID’ssignInActivity.lastSignInDateTime for every synced user and flags accounts with no interactive sign-in in the trailing 90 days. Inactive users surface in access reviews so you can reclaim or deprovision dormant licenses without manually cross-referencing sign-in logs.Inactive-user flagging on Google Workspace
The Google Workspace integration now reads each user’s last sign-in time from the Admin Reports API and flags accounts with no activity in the trailing 90 days. Dormant Workspace identities surface in access reviews and feed offboarding without manually cross-referencing the admin console. Connections that haven’t been re-authorized for the new reports scope continue syncing as before; granting View Reports on the existing OAuth consent screen unlocks the inactive-user signal automatically.Installed app inventory from Jamf, Intune, and Kandji
The Jamf, Intune, and Kandji connectors now inventory every application installed across your managed device fleet. Each discovered app appears as a SaaS app in the integrations inventory, and an installed on relationship links each app to the devices it’s running on — so you can see at a glance which laptops actually have a given tool, surface unmanaged installs that never went through procurement, and drive deprovisioning from the same view that already tracks device assignment. App inventory ships alongside the existing device sync on each connector with no extra connection step. Intune requires theDeviceManagementManagedDevices.Read.All Graph permission to enumerate detected apps; tenants without it continue to sync devices unchanged.OAuth grants now appear as SaaS apps
Google Workspace and Microsoft 365 / Entra ID syncs now emit a SaaS app entry for every third-party OAuth application granted access to your tenant, alongside the user, group, and device data they already produced. Shadow OAuth integrations users have authorized — the long tail of “Sign in with Google” and Entra app consents — now show up in the Apps view automatically, with the granting user attached for follow-up.Entra ID OAuth grants link the granting user
The Microsoft 365 / Entra ID connector now records a per-user Uses relationship for every third-party OAuth grant it discovers, so each shadow app that lands in the Apps view is wired directly to the employees who consented to it. Useful for triaging risky OAuth grants — open the app, see exactly who granted access and which scopes were approved, and route follow-up without exporting consent logs by hand. No new permissions are required; the relationships are derived from the sameoauth2PermissionGrants data the connector already reads.Google Workspace OAuth grants link the granting user
The Google Workspace connector now records a per-user Uses relationship for every third-party OAuth grant it discovers, matching the Entra ID behavior. Each shadow app surfaced from aSign in with Google consent now lands in the Apps view wired directly to the employees who authorized it, with the approved scopes attached to the relationship. Open a discovered OAuth app, see the exact list of users who granted access and the scopes each one approved, and route review or revocation without re-running the per-user token enumeration by hand. No new scopes are required — the relationships are derived from the same per-user admin.directory.user.security token data the connector already enumerates for app discovery. Existing connections pick up the new relationships automatically on the next sync.MDM device assignments link directly to users
The JumpCloud MDM and Level.io connectors now emit an AssignedTo relationship from each managed device to the user it’s assigned to, derived from the assigned-user fields each tenant already returns. Device-to-user links surface in the asset inventory and feed offboarding automatically — when an employee leaves, every managed laptop wired to them is queued for reclaim alongside their SaaS access. No new permissions or scopes are required; the relationships are derived from the same device sync the connectors already run, and existing connections pick them up on the next sync.OneLogin connector now inventories assigned apps
The OneLogin connector now emits a SaaS app entry for every application in your OneLogin catalog and a per-user assignment for each user→app pairing it discovers, alongside the existing user roster. Inventory and assignment data flow into the Apps view and feed access reviews and offboarding so OneLogin-managed seats are visible alongside the rest of your stack. Connections without the Manage Users scope continue to sync the catalog without per-user assignments; granting the scope unlocks the assignment data automatically on the next sync.Apps page now leads with a four-card stats strip
The Apps page on the Layer dashboard now opens with a four-card stats strip — Monthly spend, Managed licenses, Discovered apps, and AI tools — pinned above the apps table, so the headline numbers for the connected SaaS surface are visible the moment the page loads. The strip rolls up the same data already used downstream in spend management and the integrations inventory, and tracks the active filter so the totals reflect the apps you’re actually looking at.Seat utilization bars on the Apps table
The Apps table on the Layer dashboard now shows a mini progress bar for each app’s seat utilization in place of the previous “12 / 50 underused” text. Bars render green when seats are healthily allocated and amber when fewer than half the licensed seats are in active use, so under-utilized SaaS contracts surface at a glance during access reviews and renewal triage. The same bar appears on both the desktop table and the mobile card view.Collapsible sidebar with grouped navigation
The Layer dashboard sidebar is now collapsible to an icon-only rail. Toggle it from the footer and the state persists across page reloads. Nav items are also reorganized into four titled sections — Discover (Dashboard, Apps, People, Assets, Hardware), Finance (Spend, Renewals, Contracts, Licenses), Operations (Integrations, AI Usage), and Account (Settings, Billing) — so dense product surfaces are easier to scan at a glance, and the missing Assets, Spend, and Integrations items are now first-class entries instead of buried inside other pages. The dashboard layout also clamps to a max width on large monitors so content no longer stretches edge-to-edge.⌘K command palette synced with the sidebar
The ⌘K command palette on the Layer dashboard now mirrors the sidebar’s four-section structure — Discover, Finance, Operations, Account — and picks up every nav item the sidebar surfaces, including AI Usage and the new Assets / Spend / Integrations entries. Jumping to a page from the keyboard now lands you in the same group you’d find it in the sidebar.Stats strips on Contracts and Renewals
The Contracts and Renewals pages now open with a four-card stats strip pinned above the table — Total Contracts, Annual Value, Due in 30 Days, and Auto-renewal Risk for Contracts; Upcoming, Due in 30 Days, Due 30–60 Days, and Auto-renewal count for Renewals. The headline numbers are visible the moment the page loads, so renewal triage and contract review don’t require scrolling into the table to size up the queue. Both pages also pick up the samePageHeader treatment as the rest of the dashboard, with action buttons consolidated into the header so the border-bottom separator spans the full width.Recharts-backed charts on Spend and Benchmarks
The hand-rolled SVG charts on the Spend detail page and the Benchmarks page have been replaced with interactive recharts components. Spend detail now uses the sameSpendBarChart as the rest of the dashboard, and Benchmarks ships a vertical grouped bar chart comparing your spend against the peer median per category, with hover tooltips, a legend, and animated entry. Both charts respond to the dashboard’s accent color so they stay consistent across themes.Loading skeletons across the dashboard
Loading skeletons now match the actual layout of every major dashboard page — Spend, Licenses, Contracts, AI Usage, Benchmarks, Assets, and Audit. Each skeleton mirrors its page’sPageHeader, stats strip, charts, and table rows so navigation feels stable instead of flashing a blank panel before content lands.Visual normalization across the dashboard
A sweeping polish pass on the Layer dashboard. Every card, panel, and container now uses the samerounded-2xl corner radius (settings, licenses, contracts, renewals, spend, assets, apps, and people detail views previously rendered slightly tighter corners). Table headers across Contracts, Licenses, Dashboard, Benchmarks, and Spend detail are normalized to font-semibold. The AssetTypeBadge now shows SaaS App correctly (previously rendered “Saas App”) and ships explicit labels and color tints for all 17 asset types. Every major page — Integrations, Settings, Search, Licenses, AI Usage, Benchmarks, Assets, AI Usage sub-pages, virtual cards, license sub-pages — now uses the shared PageHeader component, with a consistent title → subtitle → border-bottom hierarchy and a ← Back link on every detail or sub-page.Apps and People views populate after sync
The Layer dashboard’s Apps and People views now render the data your connected sources actually return. A workspace-scoping bug was silently zeroing out reads for connected organizations, so freshly synced apps from Google Workspace, Microsoft 365, GitHub, and the rest of the catalog — and employees from connected HRIS and directory sources — appeared as blank views even when sync logs reported records ingested. Reads now resolve against the correct workspace context, and existing connections start populating both views on the next page load. No re-sync required.Dashboard widgets render for connected orgs
Patched a production bug where the dashboard’s spend, employee-cost, and integration widgets rendered as empty states for orgs that had real data behind them. The widgets — including the employee count and per-app cost rollups — now resolve correctly on first load. The same fix repairs the assets page and the employee-costs API, so any surface that depended on the underlying scoping is back to live numbers.Platform-initiated ingest no longer rate-limited
Per-request rate limits on the Drift ingest endpoint now trust the platform-supplied client IP, so syncs initiated by the platform itself — health checks, scheduled refreshes, and connection backfills — are no longer throttled when many connected workspaces fire at once. User-driven ingest from third-party forwarders continues to be rate-limited per-IP exactly as before.Connector sync registers every supported source
Adding a connector to a workspace now succeeds for every source in the catalog. A registration step had been skipped for some new connectors, surfacing as an “unsupported source” error on first sync — most visibly for Microsoft Entra ID, which is now correctly aliased to its underlying directory connector. Existing connections are unaffected; new connections complete their first sync without manual retry.Faster cockpit row sampling
Sample-row lookups on the Layer cockpit now run their candidate queries in parallel instead of sequentially, cutting a noticeable delay on tables where the canonical column varied between tenants. No user-facing changes beyond the speedup.Sentry Replay disabled on authenticated routes
Sentry Session Replay no longer records on the authenticated/dashboard and /settings surfaces in the Layer dashboard, and any in-flight replay stops on client-side route transitions away from a replay-eligible page. Tenant data never enters a replay buffer; production exception reporting and stack traces are unchanged.