Stitchflow
Back to directory
Small Improvements logo

Small Improvements User Management API Guide

API workflow

How to automate user lifecycle operations through APIs with caveats that matter in production.

UpdatedMar 16, 2026

Summary and recommendation

The Small Improvements REST API is available at https://www.small-improvements.com/api/v1 and authenticates via API key passed as a Bearer token in the Authorization header.

The key is generated from Company Settings → API in the admin UI;

there is no documented OAuth 2.0 flow.

Core user operations list, get by ID, create, update, and deactivate/delete

are available, but public documentation is sparse: pagination parameters, exact required fields for POST, PATCH support, and DELETE behavior (soft deactivation vs.

hard delete) are not officially published and must be validated against the live API.

Rate limits are also undocumented;

implement conservative retry logic from the start.

There are no webhooks;

use periodic polling to detect changes.

API quick reference

Has user APIYes
Auth methodAPI Key (Bearer token passed in Authorization header)
Base URLOfficial docs
SCIM availableNo
SCIM plan requiredEnterprise

Authentication

Auth method: API Key (Bearer token passed in Authorization header)

Setup steps

  1. Log in as an admin and navigate to Company Settings.
  2. Locate the API section and generate an API key.
  3. Include the key in all requests as: Authorization: Bearer

User object / data model

Field Type Description On create On update Notes
id string Internal user identifier auto-generated immutable
email string User's email address (login identifier) required supported Must be unique
firstName string User's first name required supported
lastName string User's last name required supported
role string User role within the platform (e.g., admin, user) optional supported
department string Department the user belongs to optional supported
managerId string ID of the user's direct manager optional supported
active boolean Whether the user account is active optional supported Deactivating does not delete the user

Core endpoints

List users

  • Method: GET
  • URL: https://www.small-improvements.com/api/v1/users
  • Watch out for: Exact query parameters and pagination behavior are not publicly documented.

Request example

GET /api/v1/users
Authorization: Bearer <api_key>

Response example

[{"id":"u1","email":"jane@example.com","firstName":"Jane","lastName":"Doe","active":true}]

Get user by ID

  • Method: GET
  • URL: https://www.small-improvements.com/api/v1/users/{userId}
  • Watch out for: Field names and response schema are inferred from limited public information; verify against live API.

Request example

GET /api/v1/users/u1
Authorization: Bearer <api_key>

Response example

{"id":"u1","email":"jane@example.com","firstName":"Jane","lastName":"Doe"}

Create user

  • Method: POST
  • URL: https://www.small-improvements.com/api/v1/users
  • Watch out for: Exact required fields not confirmed in public docs; test in a sandbox environment first.

Request example

POST /api/v1/users
Authorization: Bearer <api_key>
Content-Type: application/json
{"email":"new@example.com","firstName":"New","lastName":"User"}

Response example

{"id":"u2","email":"new@example.com","firstName":"New","lastName":"User","active":true}

Update user

  • Method: PUT
  • URL: https://www.small-improvements.com/api/v1/users/{userId}
  • Watch out for: Whether PATCH is also supported is not confirmed in public documentation.

Request example

PUT /api/v1/users/u2
Authorization: Bearer <api_key>
Content-Type: application/json
{"department":"Engineering"}

Response example

{"id":"u2","email":"new@example.com","department":"Engineering"}

Deactivate/delete user

  • Method: DELETE
  • URL: https://www.small-improvements.com/api/v1/users/{userId}
  • Watch out for: Behavior (soft deactivation vs. hard delete) is not explicitly documented publicly.

Request example

DELETE /api/v1/users/u2
Authorization: Bearer <api_key>

Response example

{"success":true}

Rate limits, pagination, and events

  • Rate limits: No rate-limit details are publicly documented.

  • Rate-limit headers: No

  • Retry-After header: No

  • Rate-limit notes: No rate-limit details are publicly documented.

  • Pagination method: offset

  • Default page size: Not documented

  • Max page size: Not documented

  • Pagination pointer: Not documented

  • Webhooks available: No

  • Webhook notes: No webhook capability is documented in official Small Improvements public materials.

  • Alternative event strategy: Poll the REST API periodically to detect user or data changes.

SCIM API status

  • SCIM available: No
  • SCIM version: Not documented
  • Plan required: Enterprise
  • Endpoint: Not documented

Limitations:

  • Native SCIM provisioning is not listed as a supported feature in official documentation.
  • SSO via Okta, Azure AD/Entra, and OneLogin is supported, but automated user provisioning via SCIM is not confirmed.
  • User lifecycle management must be handled via the REST API or manual admin actions.

Common scenarios

Three integration patterns are supported by the available endpoints, each with meaningful caveats.

For bulk onboarding, POST to /api/v1/users per employee (email, firstName, lastName minimum);

no batch endpoint is documented, so each user requires an individual request - factor this into throughput planning.

For offboarding, retrieve the user's internal ID via GET /api/v1/users, then send DELETE or PUT with active:false to /api/v1/users/{userId};

because soft-deactivation vs.

hard-delete behavior is undocumented, test in a non-production environment before running in production.

For HRIS manager-hierarchy sync, fetch all users, map HRIS manager IDs to Small Improvements user IDs, then update each record via PUT /api/v1/users/{userId} with the correct managerId

managers must be created before direct reports or the update will fail.

Building an accurate identity graph across these three flows requires storing the returned Small Improvements user ID at creation time and maintaining a durable mapping to your HRIS or IdP identifiers.

Bulk-import new employees via REST API

  1. Generate an API key from Company Settings > API.
  2. For each new employee, POST to /api/v1/users with email, firstName, and lastName.
  3. Store the returned user ID for future update or deactivation calls.

Watch out for: No bulk/batch endpoint is documented; each user requires an individual POST request.

Deactivate a departed employee

  1. Retrieve the user's internal ID via GET /api/v1/users?email= or list endpoint.
  2. Send DELETE (or PUT with active:false) to /api/v1/users/{userId}.
  3. Confirm the account is inactive before removing from IdP.

Watch out for: Soft-deactivation vs. hard-delete behavior is undocumented; test in a non-production environment.

Sync manager hierarchy from HRIS

  1. Fetch all users via GET /api/v1/users.
  2. Map HRIS manager IDs to Small Improvements user IDs.
  3. Update each user record with the correct managerId via PUT /api/v1/users/{userId}.

Watch out for: If managerId references a user not yet created in Small Improvements, the update may fail; ensure managers are created before direct reports.

Why building this yourself is a trap

The primary integration risk is documentation sparsity: field names, error codes, pagination behavior, and DELETE semantics are not publicly specified, meaning any production integration carries schema-drift risk that only live API testing can surface.

SCIM is not natively supported - IdP integrations with Okta, Entra, and OneLogin cover SSO only, not automated provisioning - so teams expecting IdP-driven lifecycle management will need to build that layer themselves via the REST API. The absence of webhooks means event-driven architectures are not possible;

polling introduces latency in offboarding flows, which is a security consideration for access revocation SLAs.

Teams using an MCP server with 60+ deep IT/identity integrations can abstract some of this complexity, but the underlying API gaps (undocumented rate limits, no batch endpoints, ambiguous delete behavior) remain constraints at the protocol level regardless of the orchestration layer.

Automate Small Improvements workflows without one-off scripts

Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.

Every app coverage, including apps without APIs
60+ app integrations plus browser automation for apps without APIs
IT graph reconciliation across apps and your IdP
Less than a week to launch, maintained as APIs and admin consoles change
SOC 2 Type II. ~2 hours of your team's time
Book a Demo

UpdatedMar 16, 2026

* Details sourced from official product documentation and admin references.

Keep exploring

Related apps

Abnormal Security logo

Abnormal Security

API Only
AutomationAPI only
Last updatedMar 2026

Abnormal Security is an enterprise email security platform focused on detecting and investigating threats such as phishing, account takeover (ATO), and vendor email compromise. It does not support SCIM provisioning, which means every app in your stack

Admin guideAPI guide
ActiveCampaign logo

ActiveCampaign

API Only
AutomationAPI only
Last updatedFeb 2026

ActiveCampaign uses a group-based permission model: every user belongs to exactly one group, and all feature-area access (Contacts, Campaigns, Automations, Deals, Reports, Templates) is configured at the group level, not per individual. The default Adm

Admin guideAPI guide
ADP logo

ADP

API Only
AutomationAPI only
Last updatedFeb 2026

ADP Workforce Now is a mid-market to enterprise HCM platform that serves as the HR source of record for employee data — payroll, benefits, time, and talent. User access is governed by a hybrid permission model: predefined security roles (Security Maste

Admin guideAPI guide