Identity automation for the apps your IdP can't reach

93% of SaaS apps don't support SCIM. earbit extends Okta and Entra ID to every app in your portfolio. Self-hosted, source-available, two containers.

Get Started Book a Demo

docker-compose.yml

# earbit.yaml
services:
earbit:
image: earbit/earbit:latest
ports:
 - "8080:8080"
volumes:
 - ./data:/data
environment:
EARBIT_VAULT_KEY: ${VAULT_KEY}
worker:
image: earbit/worker:latest
depends_on:
 - earbit

The problem

Your IdP has a blind spot

Okta and Entra ID manage lifecycle for apps that support SCIM and SAML. That's fewer than 7% of applications. The rest of your portfolio is invisible.

93% of apps lack SCIM support

46% of orgs report breaches from manual identity workflows

10-20 hrs per week on manual provisioning and deprovisioning

The rest of your app portfolio lives in spreadsheets, tickets, and tribal knowledge. Former employees keep access for days or weeks after departure. Shared credentials get emailed around. Auditors ask who has access to what, and you can't answer with certainty for the majority of your apps.

The solution

How earbit works

earbit sits between your IdP and the apps it can't reach. Three components close the gap.

App Profiles

Machine-readable descriptions of how to interact with any application. Record UI flows with the browser extension or map API endpoints directly. Mix both strategies in a single profile.

Orchestration Engine

Receives lifecycle events from your IdP via SCIM. Selects the right execution strategy from the App Profile, dispatches jobs to automation workers, handles retries and failure escalation. Every operation is logged.

SCIM Server

earbit is a SCIM 2.0 service provider. Point Okta or Entra ID at earbit's SCIM endpoint. User lifecycle events flow directly into orchestration jobs, no middleware or webhook plumbing needed.

data flow

# IdP-triggered offboarding
Okta / Entra ID
 |
 | SCIM PATCH /Users/{id} active=false
 v
earbit SCIM Server --->  200 OK (immediate)
 |
 | async job queue
 v
Orchestration Engine
 |
 |--- App Profile (API) ---> Target App A  [deprovisioned]
 |--- App Profile (UI)  ---> Target App B  [deprovisioned]
 |--- App Profile (UI)  ---> Target App C  [deprovisioned]
# Every operation logged to append-only audit trail

Capabilities

Everything you need to close the gap

Lifecycle Automation

Provision and deprovision users across non-federated apps automatically when your IdP fires SCIM events. No manual tickets, no spreadsheets.

Encrypted Vault

AES-256-GCM envelope encryption. Self-hosted operators control their own key. Credentials decrypted only at point of use, never persisted in plaintext.

Audit Trail

Append-only log of every lifecycle operation. Who accessed what, when, and whether it succeeded or failed. Export for SOC 2 and ISO 27001.

Shared Account Management

Manage brand social accounts and service credentials. Per-session attribution lets you know exactly who used what. Automatic rotation on personnel changes.

Browser Extension

Two modes. Recorder captures UI flows to build App Profiles. Session mode injects credentials so end users never see passwords or TOTP codes.

SCIM Integration

Native SCIM 2.0 server for Okta and Entra ID. No middleware, no webhooks to configure. Point your IdP at earbit and lifecycle events flow automatically.

Get started

Three steps to close the coverage gap

Record

Install the browser extension. Walk through your app's user management flows. earbit captures every click and form fill as a replayable automation script.

Connect

Point your IdP's SCIM provisioner at earbit's endpoint. Map IdP groups to App Profiles with access policies. Users in group X get provisioned into app Y.

Automate

earbit handles the rest. Users join a group, they get provisioned. They leave, they get deprovisioned. Credentials rotate automatically. Every action is logged.

Open source

Source-available. Self-hosted. Your infrastructure.

earbit is licensed under BSL (Business Source License). Read every line of code. Deploy on your own infrastructure. Your credential vault never leaves your network.

terminal

$ git clone https://github.com/earbit/earbit.git
$ cd earbit
$ docker compose up
earbit-core | listening on :8080
earbit-core | vault initialized
earbit-core | SCIM endpoint ready at /scim/v2
earbit-worker | ready, waiting for jobs

No phone-home

earbit never contacts external servers. No license validation calls, no analytics beacons.

No usage telemetry

No data leaves your environment. Full source code means you can verify this yourself.

No vendor lock-in

SQLite database on your filesystem. Standard Docker containers. Migrate or fork whenever you want.

Compare

earbit vs. Cerby

Cerby pioneered the disconnected app category. earbit takes a different approach to the same problem: open, self-hostable, and priced for scale.

	earbit	Cerby
Source code	Source-available (BSL)	Closed source
Deployment	Self-hosted or cloud	SaaS only
Credential vault	On your infrastructure	Vendor-hosted
Automation approach	Deterministic recorded flows	Black-box AI agents
Pricing	Free self-hosted, usage-based cloud	~$4,000/app/year
App onboarding	Record in browser, < 1 hour	Vendor catalog + Scout tool