Summary and recommendation
Streak exposes a REST API at `https://www.streak.com/api/v1` authenticated via HTTP Basic Auth, with the personal API key passed as the username and an empty password.
Every API key is scoped to a single user account-there is no service-account or org-level token, which is a meaningful constraint for automated pipelines.
User read operations are available: `GET /users/me`, `GET /users/{userKey}`, `GET /organizations/{orgKey}/users`, and `GET /users/me/organization`.
User creation, update, and deletion are not supported via the API;
those operations must be performed through the Streak UI or Google Workspace admin.
Profile fields (name, email, photo) are read-only and sourced from the linked Google account.
No SCIM 2.0 endpoint exists.
No webhooks are documented for user-management events.
Rate limits are enforced but numeric thresholds are not publicly documented;
contact Streak support for enterprise-level specifics.
The list endpoint for org users returns all members in a single unpaginated response-plan for large payloads in sizable organizations.
API quick reference
| Has user API | Yes |
| Auth method | API Key (HTTP Basic Auth – API key as username, empty password) |
| Base URL | Official docs |
| SCIM available | No |
| SCIM plan required | Enterprise |
Authentication
Auth method: API Key (HTTP Basic Auth – API key as username, empty password)
Setup steps
- Log in to Streak and navigate to Settings → API.
- Generate or copy your personal API key.
- Include the API key as the username in HTTP Basic Auth with an empty password, e.g., Authorization: Basic base64(apiKey:).
- Alternatively, pass the API key as a query parameter: ?api_key=YOUR_KEY (less preferred).
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| key | string | Unique identifier for the user (Streak user key) | system-generated | immutable | Used as the primary reference in API calls |
| string | User's Google/Gmail email address | required | not updatable via API | Tied to Google account | |
| displayName | string | User's full display name | sourced from Google account | not updatable via API | |
| firstName | string | User's first name | sourced from Google account | not updatable via API | |
| lastName | string | User's last name | sourced from Google account | not updatable via API | |
| image | string | URL to the user's profile image | sourced from Google account | not updatable via API | |
| isOrgAdmin | boolean | Whether the user has organization admin privileges | set by org admin | manageable by org admin | |
| orgKey | string | Key of the organization the user belongs to | system-assigned | immutable | |
| lastSeenTimestamp | number | Unix timestamp of last activity | system-generated | system-managed | |
| creationTimestamp | number | Unix timestamp when the user was created | system-generated | immutable |
Core endpoints
Get current authenticated user
- Method: GET
- URL:
https://www.streak.com/api/v1/users/me - Watch out for: Returns only the user associated with the API key used; cannot impersonate other users.
Request example
GET /api/v1/users/me
Authorization: Basic base64(apiKey:)
Response example
{
"key": "agxzfm...",
"email": "user@example.com",
"displayName": "Jane Doe",
"isOrgAdmin": false,
"orgKey": "agxzfm..."
}
Get user by key
- Method: GET
- URL:
https://www.streak.com/api/v1/users/{userKey} - Watch out for: You can only retrieve users within your organization.
Request example
GET /api/v1/users/agxzfm...
Authorization: Basic base64(apiKey:)
Response example
{
"key": "agxzfm...",
"email": "colleague@example.com",
"displayName": "John Smith"
}
List users in organization
- Method: GET
- URL:
https://www.streak.com/api/v1/organizations/{orgKey}/users - Watch out for: Requires the authenticated user to be a member of the specified organization. No pagination; returns all members.
Request example
GET /api/v1/organizations/agxzfm.../users
Authorization: Basic base64(apiKey:)
Response example
[
{"key": "agxzfm...", "email": "a@example.com"},
{"key": "agxzfm...", "email": "b@example.com"}
]
Get current user's organization
- Method: GET
- URL:
https://www.streak.com/api/v1/users/me/organization - Watch out for: Returns the organization of the API key owner only.
Request example
GET /api/v1/users/me/organization
Authorization: Basic base64(apiKey:)
Response example
{
"key": "agxzfm...",
"name": "Acme Corp",
"adminKey": "agxzfm..."
}
Rate limits, pagination, and events
Rate limits: Streak enforces rate limits but does not publicly document specific numeric thresholds per plan in its official docs.
Rate-limit headers: Unknown
Retry-After header: Unknown
Rate-limit notes: Official docs do not specify rate-limit headers or Retry-After behavior. Contact Streak support for enterprise-level rate limit details.
Pagination method: none
Default page size: 0
Max page size: 0
Pagination pointer: Not documented
Webhooks available: No
Webhook notes: Streak does not document a native webhook system for user-management events in its official API reference.
Alternative event strategy: Use polling against /users/me or /organizations/{orgKey}/users to detect membership changes.
SCIM API status
- SCIM available: No
- SCIM version: Not documented
- Plan required: Enterprise
- Endpoint: Not documented
Limitations:
- Streak does not offer a native SCIM 2.0 endpoint.
- No IdP-native SCIM connector (Okta, Entra ID, OneLogin) is officially documented.
- SAML SSO is available on the Enterprise plan but automated user provisioning/deprovisioning via SCIM is not supported.
Common scenarios
Three primary automation scenarios are viable with the current API surface, all read-oriented.
For org-wide user audits: authenticate with an admin-scoped API key, call GET /users/me to retrieve the orgKey, then call GET /organizations/{orgKey}/users to pull the full member list.
Parse email, key, isOrgAdmin, and lastSeenTimestamp for downstream processing.
The API key must belong to an org member;
cross-org queries are not supported.
For inactive-user identification: retrieve the org user list, compare each record's lastSeenTimestamp against your inactivity threshold, and flag matches for manual review.
Offboarding itself must be executed in the Streak UI-there is no DELETE /users endpoint.
For directory sync: poll GET /organizations/{orgKey}/users on a scheduled interval (hourly is a reasonable baseline), diff against your internal identity graph using email as the canonical identifier, and surface additions or removals for action.
No webhook or push mechanism exists, so real-time sync is architecturally unavailable;
polling is the only option.
Integrating this into an identity graph via an MCP server with 60+ deep IT/identity integrations can reduce the per-app polling burden by centralizing the diff and reconciliation logic.
Audit all users in an organization
- Authenticate with the API key of an org admin user.
- Call GET /api/v1/users/me to retrieve the orgKey from the response.
- Call GET /api/v1/organizations/{orgKey}/users to retrieve the full member list.
- Parse the returned array for email, key, isOrgAdmin, and lastSeenTimestamp fields.
Watch out for: The API key must belong to a user who is a member of the target organization. Non-members cannot list org users.
Identify inactive users for offboarding review
- Retrieve all org users via GET /api/v1/organizations/{orgKey}/users.
- Compare each user's lastSeenTimestamp against your inactivity threshold.
- Flag users whose lastSeenTimestamp exceeds the threshold for manual review.
- Offboard identified users through the Streak admin UI, as the API does not support user deletion.
Watch out for: User removal must be performed manually in the Streak UI or via Google Workspace; there is no DELETE /users endpoint.
Sync Streak org membership to an internal directory
- Poll GET /api/v1/organizations/{orgKey}/users on a scheduled interval.
- Diff the returned user list against your internal directory using the email field as the canonical identifier.
- Add or flag-for-removal users based on the diff result.
- Because no webhooks exist, schedule polling at an appropriate interval (e.g., hourly) to detect changes.
Watch out for: No webhook or push notification is available; real-time sync is not possible without continuous polling.
Why building this yourself is a trap
The core API trap with Streak is the personal-key authentication model. Because every key is tied to a specific user account, any automated workflow breaks if that user is offboarded, changes their Google account, or rotates their key without updating dependent systems.
There is no mechanism to issue a credential that survives individual user lifecycle events.
The second structural caveat is write-scope absence: the API cannot create, update, or delete users. Any provisioning or deprovisioning automation built on this API will have a mandatory manual step at the Streak UI layer, which undermines the value of automation for user lifecycle use cases specifically.
Finally, the undocumented rate-limit behavior and absence of Retry-After headers mean that high-frequency polling or bulk audit scripts must implement conservative backoff heuristics without vendor guidance on safe thresholds. The v1 API versioning strategy is also not formally documented, so breaking-change risk on any integration should be treated as unmitigated.
Automate Streak workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
