MCP
A2AWhat is a Unified API?
A unified API provides a single, standardized interface to interact with multiple third-party providers. Instead of learning each provider’s unique API format, authentication scheme, and data model, you write code once, and StackOne handles the differences. What StackOne normalizes:- Data models – Consistent field names and structures across providers (e.g.,
filesin Google Drive, SharePoint, and Dropbox all return the same schema;usersin Google Workspace, Okta, and 1Password all return the same schema) - Authentication – OAuth, API keys, and tokens are managed per-provider; you just pass an
x-account-idheader - Pagination – Cursor-based pagination works the same regardless of whether the provider uses offsets, pages, or cursors
- Error formats – Standardized error responses with provider-specific details when available
The Policies API has moved to Legacy Unified APIs.
Entity Model
The IAM API is built around six core entities.IamCredentials is not included in the diagram above. It represents the authenticated connection context returned by GET /unified/iam/me — not a stored identity object with relationships to users, roles, or groups.
| Entity | Description |
|---|---|
| IamUser | An individual with access to the provider. Carries profile fields, activity timestamps, MFA status, and expandable collections of roles, groups, and direct permissions. |
| IamRole | A named set of permissions. Roles can be scoped to a specific resource type and ID (scope), making them applicable to a particular group, organization, or resource. |
| IamGroup | A collection of users. Groups can nest via parent_id and child_group_ids, belong to an organization, and carry their own role assignments. Expand users to get group members. |
| IamOrganization | A top-level tenant or workspace. Groups and users are linked to an organization via organization_id and filter parameters. |
| IamPermission | A specific action type (read, write, comment, create, edit, delete) scoped to one or more resource types and optional resource IDs. |
| IamCredentials | The authenticated connection making the request. Returned by GET /unified/iam/me — includes auth type, granted scopes, effective permissions, and last-used timestamp. |
Permission and scope model
IamPermission has a type (the action) and a scopes array. Each scope entry has a resource_type (e.g. file, channel, user) and an optional resource_id. When resource_id is absent, the permission applies to all resources of that type.
Roles carry the same scoping via IamRoleScope on the role itself, allowing a role to be valid only within a specific organizational context.
Endpoints
| Method | Path | Operation | Description |
|---|---|---|---|
| GET | /unified/iam/users | iam_list_users | List users — filter by email, group, role, organization, updated_after |
| GET | /unified/iam/users/{id} | iam_get_user | Get user by ID |
| PATCH | /unified/iam/users/{id} | iam_update_user | Update user |
| DELETE | /unified/iam/users/{id} | iam_delete_user | Delete user |
| GET | /unified/iam/roles | iam_list_roles | List roles |
| GET | /unified/iam/roles/{id} | iam_get_role | Get role by ID |
| GET | /unified/iam/groups | iam_list_groups | List groups |
| GET | /unified/iam/groups/{id} | iam_get_group | Get group by ID |
| GET | /unified/iam/organizations | iam_list_organizations | List organizations |
| GET | /unified/iam/organizations/{id} | iam_get_organization | Get organization by ID |
| GET | /unified/iam/me | iam_get_me | Get current connection credentials |
| GET | /unified/iam/resource_types | iam_list_resource_types | List resource types supported by this provider |
| GET | /unified/iam/resource_users | iam_list_resource_users | List users with access to a specific resource |
StackOne SDKs & OpenAPI Specification
Use our official SDKs for faster integration. Build with language-native libraries. Full list here.