# MCP Server

## The interface that makes your IT team AI-native.

One MCP server over your entire SaaS stack.

Query cross-app identity data, execute governed actions, and get auditor-ready evidence. We built and maintain the infrastructure.

Your team builds workflows that run on it.

### Access review

$$
Show me everyone who still has access to anything 30 days after termination

Scanned 47 apps against your Okta directory. Found 4 terminated users with active access:

| User           | Active in                       | Since term | Status   |
|----------------|---------------------------------|------------|----------|
| Sarah Chen     | Figma, Slack, GitHub, Jira      | 34 days    | Critical |
| James Rivera   | Adobe CC, Notion, Zoom          | 41 days    | Critical |
| Priya Patel    | Salesforce, HubSpot             | 37 days    | Critical |
| Mike Torres    | Google Workspace, Okta          | 52 days    | Critical |

4 terminated users with active access across 11 apps. Estimated exposure: $2,340/mo in unused licenses. Ready to deprovision?

- Deprovision all
- Export report
- Notify managers

### Why IT managers care

## One server. Four compounding advantages.

### Speed

Cross-app answers in seconds. Not hours across 45 admin consoles. Ask once. Get the full picture.

### Risk reduction

Every action governed, logged, and reversible. No ungoverned admin access. Every action goes through the same policy layer.

### Auditability

Evidence exists before the auditor asks. Every query, every action, every decision timestamped and exportable.

### Team leverage

Your L1 runs workflows. Your senior staff designs them. The first workflow takes less than a week. By the fifth, your team builds them.

## Architecture

### Three data channels. One identity graph. Served over MCP.

Connect any MCP client, query a unified identity graph across 100+ apps, and act — all through one server.

### Your AI Tools

Any MCP-compatible client

Claude

Cursor

### Data Sources

- API integrations: 100+ APPS
  - O - Okta
  - S - Slack
  - J - Jira
  - G - GitHub
  - S - Salesforce
- Browser automation: LOCAL
  - AC - Adobe CC
  - F - Figma
  - N - Navan
  - C - Canva
- CSV ingestion: DATA-IN
  - S - Slack
  - Chrome ext
  - Email

### Stitchflow MCP Server

- Query routing, identity reconciliation, and audit logging
- Identity graph

Every user reconciled across every app against your identity provider.

- Workflow engine

Branching logic, exception handling, approval gates, escalation paths.

### Execute Actions

- Provision and deprovision across every app
- Modify roles, entitlements, group memberships
- Create tickets in Jira, Freshservice
- Trigger full workflows end-to-end
- Generate Reports

Who has access to what, across every app.

### Deep data models

We know what “deprovisioned” actually means in each app. App-specific data models built for IT use cases. Every field that matters for provisioning, access, and compliance.

#### Fields tracked per app

- Provisioning status
- Role assignments
- Group memberships
- Last login
- Last usage
- License status
- Access levels
- Entitlements

#### Cross-app queries answered in seconds

Identity-reconciled against your IDP.

Who has access to what, across every app.

### Example queries

## Natural language. Cross-app answers.

Any MCP client. Claude, Cursor, or your own agents.

### Access review

Find security exposure across 47 apps in seconds.

- Generate access review report with reviewer sign-offs and remediation trail
- Show me everyone who still has access to anything 30 days after termination

### API integrations

#### The same intent maps to different APIs in every app.

Each integration is purpose-built for the app's specific data model and action surface. Not a generic REST wrapper. Read and write paths are implemented per app with endpoint-level precision.

- O - Okta
  - GET/api/v1/users/{id}/groups
    - List all groups a user inherits access from.
  - DELETE/api/v1/users/{userId}/sessions
    - Invalidate active sessions and revoke OAuth tokens.
- S - Slack
  - DELETE/scim/v1/Users/{id}
    - Delete a SCIM-managed user record from the workspace.

### Browser automation

## If a human can do it in a browser, we can automate it.

Your most expensive seats have zero user management API, or SCIM gated behind enterprise tiers. They get skipped during offboarding. Not here.

Under the hood

Playwright-based

- Chrome extension running locally
- Credentials stay local, never leave your network.
- No data exfiltration.

### Apps covered via browser automation

- AC - Adobe Creative Cloud
- N - Navan
- F - Figma
- C - Canva

## CSV ingestion for the apps that have nothing.

Upload, parse & validate, reconcile, and ingest user data into the identity graph so nothing gets skipped.

### Upload channels

- Slack
- Chrome ext
- Email

### When to use it

No API available, legacy exports, vendor-managed apps.

### Integrations

## 100+ deep integrations across your stack.

Provisioning status, roles, groups, usage, and license data per app.

### Identity & Access

- O - Okta
- AA - Azure AD
- GW - Google Workspace

### Collaboration

- S - Slack
- N - Notion
- MT - Microsoft Teams

### DevTools

- G - GitHub
- J - Jira

### Design & Creative

- F - Figma
- AC - Adobe Creative Cloud

### CRM & Support

- S - Salesforce
- H - HubSpot

### Finance & Ops

- S - Stripe
- Q - QuickBooks

## Production infrastructure

3 years in production. Not a demo. Every integration maintained and updated when APIs change. SOC 2 Type II Certified. Audited annually.

## How your role changes

Your team stops searching admin consoles. They start asking questions:

### What stays human

Workflow design and decision logic, policy calls, and exception handling.

### What gets automated

Data aggregation, identity reconciliation at query time.

### Your role levels up

Your senior staff designs workflows. Your L1 runs them.
