What is a Unified API?
A unified API is a single API interface that aggregates multiple third-party APIs in the same software category — CRM, accounting, HRIS, ATS, payroll, and others — behind one standardized endpoint. With a unified API, applications authenticate once, integrate once, and receive normalized data from any supported integration in that category.
Unified APIs vary in their underlying architecture. Real-time pass-through unified APIs route every request live to the source system without storing customer data. Sync-based unified APIs cache data from source systems on a schedule and serve reads from that cache. The architectural choice has implications for data freshness, compliance scope, latency, and AI agent compatibility — covered in detail below.
Key takeaways
- A unified API gives applications one endpoint, one auth flow, and one data model across many vendors in the same category — instead of building per-vendor integrations.
- Real-time pass-through unified APIs route requests live to source systems with no customer data stored at rest. Sync-based unified APIs cache data on a schedule and serve reads from that cache.
- The architectural choice affects data freshness, compliance scope, latency profile, and AI agent compatibility. These trade-offs are concrete, not stylistic.
- Most unified APIs handle the lowest-common-denominator critique through a "raw" passthrough mechanism that preserves vendor-specific custom fields and objects outside the normalized schema.
- Pricing models vary substantially: per linked account, per active consumer, per API call, and consumption-based. Each scales differently with customer count and integration breadth.
What problem does a unified API solve?
Different APIs represent the same concepts in different ways, even within a single category. One CRM API refers to an end-user as a "User"; another calls them a "Contact"; a third uses "Lead." Each representation has different properties, field names, authentication schemes, pagination patterns, rate limits, and error formats.
For an application that needs to integrate with several vendors in the same category, this fragmentation translates directly into engineering cost. Every integration requires reading new documentation, mapping a new data schema, handling new authentication flows, and building error-handling for new edge cases. Maintenance compounds: each vendor's API evolves independently, and breaking changes must be tracked and adapted to per integration.
A unified API addresses this by providing an abstraction layer between an application and the underlying APIs in a category. The application interacts with a single, consistent interface; the unified API translates each request into the appropriate vendor-specific call and normalizes the response into a common schema.
How does a unified API speed up development?
A unified API reduces the number of integrations and the work associated with them. Instead of writing integration code per vendor, applications write integration code once against the unified data model. New vendors in the same category become available without additional integration work — the unified API vendor handles the mapping.
For an application supporting a handful of integrations, the time savings are modest. For an application supporting dozens, savings are substantial — typically reducing months of engineering work per integration to days or hours.
What complexity does a unified API actually remove?
A unified API removes per-vendor variance in four specific areas:
- Authentication and authorization — different OAuth2 flows, API key schemes, scope models, and token refresh behaviours collapse into a single authentication interface.
- Data representation — different schemas, field names, and data types collapse into a normalized data model per category.
- Endpoint structure — different URL patterns, HTTP methods, and request formats collapse into consistent endpoints across the category.
- Error handling — different error codes, response formats, and rate-limit behaviours collapse into consistent error semantics.
What a unified API does not remove: the underlying differences in vendor capability. If one vendor in a category supports a feature that others do not, the unified API still has to make a choice about how to surface that feature — typically through a "raw" passthrough mechanism (covered below).
How does a unified API enhance functionality beyond raw aggregation?
Some vendor APIs lack features that simplify integration — webhooks for change notifications, consistent pagination, predictable rate limits, or filtering. A well-designed unified API can add these capabilities as a layer above the underlying APIs:
- Polling-based event delivery for vendors without native webhooks ("virtual webhooks").
- Consistent pagination patterns across all integrations in a category.
- Centralized rate-limit management that handles per-vendor quotas transparently.
- Standardized filtering and field selection.
This is the difference between a unified API and a request proxy: a unified API can provide features the underlying APIs do not natively support.
Real-time pass-through vs. sync-based architectures
Unified APIs fall into two architectural categories. The choice has concrete implications for application design.
| Property | Real-time pass-through | Sync-and-cache |
|---|---|---|
| Data freshness | Live; reflects source-system state at request time | Bounded by sync interval; can be hours stale |
| Customer data storage | None; only operational metadata stored | Customer records cached for serving reads |
| Compliance scope | Not a sub-processor for payload data | Full sub-processor for cached records |
| Latency profile | Full source-system round-trip per request | Local cache reads (fast); source delays on writes |
| Write-back behaviour | Synchronous; success/failure known immediately | Instant write, but reads may lag sync interval |
| AI agent compatibility | Agents reason on current source-system state | Risk of agent acting on stale cached data |
| Typical pricing model | Per API call or per request | Per linked account or per consumer |
Note on operational metadata: real-time pass-through unified APIs typically store connection identifiers, encrypted OAuth credentials, and API call logs — but not customer payload data (records like contacts, employees, or invoices). This distinction is what determines compliance scope.
When real-time pass-through is the right choice
Real-time pass-through is appropriate when:
- The application requires current data on every read (financial reconciliation, AI agent integrations, live dashboards).
- The application's compliance posture benefits from minimizing stored customer data.
- Write-back operations need immediate confirmation of success or failure at the source.
- The application's latency budget can accommodate a full source-API round-trip per request (typically 800ms–1.5s).
When sync-and-cache is the right choice
Sync-and-cache is appropriate when:
- The application's read patterns tolerate data being minutes or hours stale.
- The application requires sub-100ms read latency that local cache reads provide.
- The application performs high-volume historical analytics that would be expensive to execute against live source APIs.
- The application's compliance framework already accommodates a unified API vendor as a data sub-processor.
What should you look for in a unified API?
How are unified API endpoints structured?
A unified API needs unified endpoints for each integration category. An API call to retrieve CRM contacts should be identical regardless of which underlying CRM is providing the data. The endpoint structure should be predictable, RESTful, and consistent across all integrations in the category.
How does data normalization work across vendors?
Data models must be unified, not just endpoints. A CRM contact returned from one vendor should have the same field structure as a CRM contact returned from another. The normalized schema needs sufficient depth to support real use cases — names and emails are not enough for most applications.
Two depth dimensions to evaluate:
- Field coverage: how many fields per object are normalized into the unified schema?
- Object coverage: how many distinct object types per category are supported (e.g., for CRM: contacts, companies, deals, pipelines, activities, notes)?
How is authentication handled?
The unified API should provide a single authentication flow across all integrations in a category. Common authentication metadata (vendor name, account name, scopes granted) should be available programmatically so the application can display connection state natively.
A pre-built authorization UI component is often provided to handle the OAuth2 handshake with end users, reducing the application's auth implementation burden to a single integration.
How are permission scopes managed?
Along with unified authentication, a unified API should provide abstracted permission scopes so the application does not need to research per-vendor OAuth2 scopes for each use case. Scope abstraction maps the application's intent (e.g., "read contacts") to the appropriate per-vendor scope automatically.
How do unified APIs handle vendors that don't support webhooks?
Most SaaS APIs do not support native webhooks. A unified API should provide a consistent event-delivery model regardless of whether the underlying vendor supports webhooks natively.
The common implementation pattern is "virtual webhooks": the unified API polls source APIs at configurable intervals, detects changes via timestamps or diffs, and delivers events to the application's endpoint only when changes are found. From the application's perspective, native and virtual webhooks use the same subscription model, the same event format, and the same retry semantics.
This differs from sync-based notification systems, where data is first cached on a schedule and a notification fires after sync completion — requiring the application to fetch the changed data in a separate request. With virtual webhooks, change detection and event delivery are unified: detect changes at the source, deliver events directly.
Polling intervals should be configurable. Default intervals vary substantially across unified API vendors (some default to 24 hours; others support per-minute polling).
How are custom fields and custom objects handled?
The "lowest common denominator" critique of unified APIs is that normalization across many vendors loses vendor-specific features, custom fields, and custom objects. Most modern unified APIs address this through three mechanisms:
- Custom field support in the normalized schema, allowing per-customer field definitions.
- Metadata APIs that surface vendor-specific schema information programmatically.
- Raw passthrough that allows direct calls to vendor-specific endpoints while still using the unified API's authentication and connection management.
Evaluating these mechanisms requires testing against specific use cases. The ability to handle Salesforce custom objects, HubSpot custom properties, or industry-specific HRIS fields varies meaningfully across unified API vendors.
How does pricing scale with usage?
Unified API pricing models vary substantially. The four common patterns:
- Per linked account: priced by the number of customer-vendor connections (one customer using three integrations = three linked accounts).
- Per active consumer: priced by the number of active end-customers using any integration.
- Per API call: priced by request volume, with unlimited connections.
- Consumption-based: priced by data volume transferred (typically GB).
The right pricing model depends on the application's own pricing structure and customer-integration ratio. Per-linked-account pricing scales with customer × integration count, which can be predictable for low-integration applications and prohibitive for multi-integration ones. Per-API-call pricing scales with actual data activity, which favours applications with many connections but low per-connection volume.
When is a unified API the wrong choice?
A unified API is not the right architectural choice in every case. Three common scenarios where alternatives are better:
Single-vendor or two-vendor integrations
If an application only integrates with one or two vendors and has no near-term plans to add more, building per-vendor integrations directly against the source API is often faster and cheaper than adopting a unified API. The amortized engineering savings of a unified API only materialize at three or more integrations in a category.
Workflow automation across internal applications
If the integration use case is internal workflow automation (e.g., "when a Salesforce deal closes, create a Jira ticket and update an internal database"), an iPaaS platform like Workato, Zapier, or MuleSoft is typically a better fit than a unified API. iPaaS platforms are built for workflow orchestration; unified APIs are built for customer-facing data access.
Deep per-customer customization
If each customer requires unique integration logic — different field mappings, different sync schedules, different transformation rules — an embedded iPaaS platform (Paragon, Workato Embedded, Tray Embedded) is often a better fit. Embedded iPaaS gives end-users a configuration interface for their own integrations; unified APIs give developers a programmatic interface for standardized integrations.
Use cases requiring full vendor-specific feature depth
If the application needs deep access to vendor-specific features that are not represented in the unified schema (e.g., Salesforce Apex triggers, HubSpot workflow automation, Workday's full reporting framework), the unified API's normalized layer may not provide sufficient depth. The raw passthrough mechanism partially addresses this, but at the cost of losing the unified abstraction for those operations.
Security considerations
A unified API sits in the data path between an application and its customers' third-party data. Security evaluation should cover:
- Customer data storage: does the unified API store customer payload data at rest, or pass requests through statelessly? This determines compliance scope and audit surface.
- Credential storage: where are OAuth2 client credentials and customer access tokens stored? External secret management (e.g., AWS Secrets Manager) is preferable to in-platform storage for high-security applications.
- Encryption: at-rest encryption for stored credentials and operational metadata; in-transit encryption (TLS 1.2+) for all API traffic.
- Compliance certifications: SOC 2 Type II, GDPR, HIPAA, PIPEDA, ISO 27001 as applicable to the application's regulated data categories.
- Data residency: regional infrastructure for applications subject to data residency requirements (US, EU, AU, etc.).
Reliability considerations
The unified API becomes a critical dependency for the application. Evaluation should cover:
- SLA and uptime history: published uptime targets and historical performance.
- Connection health monitoring: does the unified API detect broken third-party vendor connections proactively, before the application's customers do?
- Error reporting and observability: API call logs, error categorization, retry visibility.
- Hosting and scaling: where the unified API is hosted and how it scales under load.
Use case compatibility: breadth, depth, and clustering
Three dimensions to evaluate against the application's use case:
- Breadth: number of supported vendors in any one category. Higher breadth supports more customer-vendor combinations.
- Depth: number of fields and object types in the normalized data model. Higher depth supports more sophisticated use cases (e.g., full HRIS payroll vs. just employee directory).
- Clustering: support for multiple categories with linked data models. Applications that span CRM + Support + Marketing benefit from clustering; single-category applications do not.
Unified.to
Unified.to provides a real-time, stateless pass-through unified API across 440+ integrations and 27 categories — including CRM, accounting, HRIS, ATS, payroll, ticketing, e-commerce, messaging, and others. Every request is routed live to the source system. No customer payload data is stored at rest.
Unified.to additionally provides a hosted MCP (Model Context Protocol) server with 20,000+ callable MCP tools, allowing AI agents to read and write across customer SaaS integrations through a single connection-scoped interface.
For pricing details, see unified.to/pricing. For full API documentation, see docs.unified.to.