Can I migrate from Finch without asking customers to reconnect?

Yes. If you own your OAuth apps, the refresh tokens are portable. You export them from Finch, import them into your new platform's credential context, and the end user never knows the infrastructure changed.

How do I keep my frontend code unchanged during the migration?

Use declarative JSONata mappings to reshape the new platform's response format to match Finch's schema exactly. Your application code continues to consume the same data shape—the transformation happens at the integration layer, not in your codebase.

What happens to rate limits after migrating from Finch?

Rate limits are set by the upstream provider. Some unified APIs silently retry on 429 errors, causing latency spikes. Truto passes the HTTP 429 directly to you with standardized IETF headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset) so you control retry and backoff logic.

How long does a Finch to unified API migration take?

For a typical team with 50-100 connected accounts, expect 2-4 weeks of focused engineering time. The bulk of the work is building declarative schema mappings and running shadow validation, not re-implementing integrations.

Does Finch support CRM or accounting integrations?

No. Finch is purpose-built for the employment ecosystem: HRIS, payroll, benefits, and employment verification. If your product roadmap requires CRM, ATS, accounting, or ticketing integrations, you need a multi-category provider.

How to Migrate from Finch to a Multi-Category Unified API (Without the Re-Authentication Cliff)

If you built your initial HRIS integrations on Finch and your product roadmap now demands CRM, ATS, ticketing, or accounting integrations, you are staring at an architectural wall. Finch does one thing exceptionally well: employment data. But when enterprise buyers demand native integrations with their broader software ecosystem, a single-category unified API becomes a hard bottleneck.

The engineering reality is stark. You either integrate a second unified API platform, build point-to-point connections in-house, or migrate to a multi-category provider. Most engineering leaders delay this migration because of the "re-authentication cliff." Moving to a new integration infrastructure typically means emailing hundreds of enterprise customers, asking their IT admins to log back in, and forcing them to re-authorize OAuth permissions.

This process generates support tickets, introduces immediate churn risk, and burns social capital with your best accounts.

You can bypass this entirely. If you approach the migration as a data operation rather than a code rewrite, you can port your existing integrations to a multi-category unified API without your end users ever knowing. This guide breaks down the exact technical strategy to export OAuth tokens, import them into a generic credential context, handle rate limits post-migration, map schemas with declarative transforms, and flip traffic—without forcing a single end user to reconnect.

We published a broader architectural overview of this migration pattern in our Migrating Beyond Finch guide. This article goes deeper on the step-by-step execution.

The Architectural Wall: Why Single-Category Unified APIs Stop Scaling

A single-category unified API covers one vertical well but becomes a bottleneck the moment your product needs data from a second category.

Finch's unified API was built specifically for the employment ecosystem. That specificity is a strength when all you need is employee directories, pay runs, and benefits enrollment. It normalizes data across HRIS and payroll providers into a clean data model, handles the messy auth flows for systems like ADP, Gusto, and Paychex, and its infrastructure now syncs records for nearly 10% of the U.S. workforce. If your product only touches HR workflows, remaining on a single-vertical API makes sense.

But product roadmaps rarely stay in one lane. In 2024, companies used an average of 106 SaaS applications globally. Your customers expect your product to talk to their entire stack. When a major prospect asks for a Salesforce or NetSuite integration, telling them "we only support HRIS" kills the deal. According to Demandbase's State of the B2B Buyer report, 89% of buyers prioritize integration capabilities over standalone features during software evaluation.

Building these new categories in-house is prohibitively expensive. Maintaining a single production-grade SaaS integration costs $50,000 to $200,000 per year when factoring in engineering time, QA, handling archaic SOAP endpoints, bizarre rate limits, and undocumented edge cases.

Expanding beyond HRIS also breaks in-house engineering models because the complexity multiplies exponentially. HRIS data models are relatively flat: you have employees, departments, and payroll runs. Accounting APIs like NetSuite or QuickBooks, however, require double-entry ledger logic, multi-currency handling, and complex tax rate mappings. CRM APIs like Salesforce are notorious for highly customized objects and polymorphic relationships. Building an integration for BambooHR might take an engineer three weeks; building an integration for Oracle NetSuite can take three months and require specialized domain knowledge.

This multi-vendor sprawl creates real costs:

Credential management across N platforms: Each vendor stores OAuth tokens differently, refreshes them on different schedules, and exposes different failure modes.
Schema divergence: Your backend now speaks Finch's HRIS data model, Vendor B's CRM model, and Vendor C's accounting model. Three sets of pagination logic. Three webhook formats. Three error envelopes.
Compounding maintenance: Every API change from every vendor hits your team.

To learn more about the limitations of single-vertical platforms, read our breakdown of Kombo vs Finch vs Truto.

The Re-Authentication Cliff: Why Engineering Delays the Migration

The primary reason teams stay locked into their initial integration provider is the fear of the migration event. The "re-authentication cliff" is the operational nightmare of asking hundreds of enterprise customers to log back in and re-authorize OAuth permissions when you switch integration infrastructure.

When you switch from Finch to a multi-category provider, the underlying OAuth applications change. The standard migration path requires you to deploy the new provider's authentication widget, deprecate the Finch connection, and execute a brutal sequence:

You email every customer whose IT admin originally connected their BambooHR, Gusto, or Workday instance through Finch.
You ask that admin—who may have changed roles, left the company, or simply does not remember what your integration was—to click a new authorization link.
For every customer that does not re-auth within your deadline, your integration goes dark. Syncs stop. Data stales. Support tickets pile up.

Enterprise IT admins are gatekeepers with limited patience. Asking them to re-authorize an integration they thought was "done" erodes trust and invites a competitive evaluation. Your customer success team will spend weeks chasing reconnections, and some percentage of accounts will simply never complete the flow.

This fear is entirely justified—but the assumption that migration requires re-authentication is wrong. Because unified APIs are ultimately just state machines managing standard OAuth 2.0 credentials, you can extract that state and move it.

Step-by-Step: Migrating from Finch Without Re-Authenticating Users

The core insight: treat this migration as a data operation, not a code rewrite. You are moving OAuth tokens and mapping configurations between systems, not rebuilding integrations from scratch.

flowchart TD
    A["Step 1:<br>Audit existing<br>Finch connections"] --> B["Step 2:<br>Export OAuth tokens<br>and credentials"]
    B --> C["Step 3:<br>Import into new<br>credential context"]
    C --> D["Step 4:<br>Build declarative<br>schema mappings"]
    D --> E["Step 5:<br>Shadow traffic<br>and validate"]
    E --> F["Step 6:<br>Flip DNS<br>and monitor"]

Step 1: Audit Your Existing Finch Connections

Export your full list of connected accounts from Finch. For each connection, document:

Provider type (e.g., BambooHR, Gusto, ADP Run)
Auth method (OAuth 2.0, API key, credential-based, or assisted)
Scopes granted (organization, payroll, deductions)
Connection health (active, stale, errored)

Depending on the provider, users connect via credentials, API token, or a 3rd party admin. This matters because credential-based and assisted connections have different portability characteristics than OAuth tokens.

Step 2: Export OAuth Tokens and Credentials

This is the step that makes zero-downtime migration possible. Finch, like any integration platform, stores the underlying OAuth access tokens, refresh tokens, and expiry timestamps for each connected account.

If you own your OAuth app (i.e., you registered your own client ID and client secret with each provider), you already have everything you need. The refresh tokens stored by Finch were issued to your OAuth app, not to Finch's. For providers where you used Finch's managed OAuth app, you will need to work with Finch support or utilize their extraction APIs to export this credential state.

You need a secure export containing the provider identifier, raw access_token, raw refresh_token, expires_at timestamp, authorized scopes, and the customer's tenant ID/subdomain. For API-key-based connections (common with smaller payroll providers), the credentials are portable by definition—they are just strings.

This is the single biggest architectural decision that affects portability: always own your OAuth apps. We wrote an in-depth guide to OAuth app ownership and avoiding vendor lock-in.

Step 3: Import Into the New Platform's Credential Context

Once you have the raw tokens, you programmatically inject them into your new multi-category unified API. In Truto, this is handled via a secure backend API call to create an Integrated Account.

You pass the raw tokens directly into the platform's generic credential context. The platform immediately assumes responsibility for the token lifecycle. If the access token is near expiry, the platform schedules work ahead of token expiry to refresh it using the provided refresh token.

{
  "integration": "bamboohr",
  "auth_type": "api_key",
  "credentials": {
    "api_key": "encrypted_value_here",
    "subdomain": "acme-corp"
  },
  "metadata": {
    "original_provider": "finch",
    "migrated_at": "2026-04-17T00:00:00Z",
    "customer_id": "cust_abc123"
  }
}

sequenceDiagram
    participant App as Your Backend
    participant Finch as Finch API
    participant Truto as Truto API
    participant HRIS as Upstream HRIS
    
    App->>Finch: Request token export
    Finch-->>App: Return access_token, refresh_token
    App->>Truto: POST /v1/integrated-accounts<br>(Inject tokens)
    Truto->>HRIS: Validate token state
    HRIS-->>Truto: 200 OK
    Truto-->>App: Return new integrated_account_id

Encrypt all tokens at rest using AES-256-GCM or equivalent. Storing OAuth tokens in plain text is the equivalent of leaving your house keys under the welcome mat. All sensitive fields—including access tokens, refresh tokens, API keys, and client secrets—must be encrypted at rest.

Step 4: Build Declarative Schema Mappings

The final hurdle in a migration is the data schema. Finch has a specific JSON structure for employee records. Your frontend components and database models are tightly coupled to that exact structure. If you migrate to a new unified API, the default data models will look different.

Rewriting your frontend code to handle a new schema negates the speed advantage of the migration. You solve this using declarative mappings.

Truto utilizes a zero-code extensibility model powered by JSONata. Instead of writing integration-specific logic in your codebase to translate the new schema back into the Finch format, you define a JSONata transformation at the platform layer. When you query the new platform, the JSONata expression intercepts the response, maps the fields, and outputs the exact JSON structure your application expects.

Here is an example. Finch returns employee data like this:

{
  "id": "finch-uuid-123",
  "first_name": "Jane",
  "last_name": "Doe",
  "department": { "name": "Engineering" },
  "manager": { "id": "finch-uuid-456" },
  "employment": { "type": "employee", "status": "active" }
}

Your new unified API might return the same data in a slightly different shape:

{
  "id": "new-uuid-789",
  "firstName": "Jane",
  "lastName": "Doe",
  "departmentName": "Engineering",
  "managerId": "new-uuid-012",
  "employmentType": "employee",
  "employmentStatus": "active"
}

A JSONata mapping to convert the new shape back to Finch's expected format looks like this:

{
  "id": id,
  "first_name": firstName,
  "last_name": lastName,
  "department": { "name": departmentName },
  "manager": { "id": managerId },
  "employment": {
    "type": employmentType,
    "status": employmentStatus
  }
}

Truto manages these mappings across a 3-level override hierarchy:

Platform Level: The baseline mapping that normalizes a provider to the Unified Model.
Environment Level: Your company-specific overrides. This is where you place the JSONata logic to mimic the Finch schema. It applies to all your customers automatically.
Integrated Account Level: Per-customer overrides. If one specific enterprise customer has a highly customized Workday instance with bespoke fields, you can apply a JSONata mapping exclusively to their account without affecting your global codebase.

By applying this mapping at the environment level, every HRIS integration you query will return data in the exact format your legacy code requires. Your frontend engineers do not have to change a single line of code. To understand how this architecture eliminates technical debt, read our deep dive on Zero Integration-Specific Code.

Step 5: Shadow Traffic, Webhooks, and Validation

Before flipping production traffic, run your new integration layer in shadow mode. Send the same API requests to both Finch and the new platform, compare the responses, and flag discrepancies. Pay special attention to pagination behavior, date format normalization, null vs. empty-string handling, and rate limit headers.

APIs are not just about polling data; they are about real-time event ingestion. Finch provides webhooks for employee updates. When you migrate, you must also port your webhook ingestion strategy. Truto handles incoming webhooks from third-party integrations by ingesting the HTTP request, verifying the provider's signature, mapping the provider-specific event to a unified event type, and delivering it to your endpoint. Because Truto standardizes the outbound signature format (X-Truto-Signature), your security team only needs to implement one verification function for all 100+ integrations across all categories.

Step 6: Flip DNS and Monitor

With the credentials safely stored, mappings active, and shadow validation passed, you update your backend routing logic. Instead of querying Finch's endpoints with the old connection ID, you query the new platform's endpoints with the new integrated account ID.

The end user experiences zero downtime. They do not log in. They do not click any buttons. The data simply continues to flow through a different pipe. Keep Finch active in read-only mode for 30 days as a rollback safety net. Monitor error rates, latency percentiles, and webhook delivery success rates.

Handling Post-Migration Rate Limits and Error Normalization

When you change integration infrastructure, the way your application handles upstream API errors must adapt. This is highly relevant when dealing with rate limits. Different unified API platforms handle upstream HTTP 429 errors differently, and the difference matters.

Many unified APIs attempt to hide rate limits by placing your requests into opaque vendor queues. They absorb the HTTP 429 Too Many Requests errors and retry them silently. While this sounds convenient in marketing copy, it creates massive engineering headaches in production. Silent queuing leads to state mismatch, unpredictable latency spikes, timeout errors on your frontend, and zero visibility into when a request will actually complete.

Truto takes a radically transparent approach. Truto does not retry, throttle, or apply backoff on rate limit errors. When an upstream API returns an HTTP 429, Truto passes that error directly back to the caller. To make this actionable, Truto normalizes the upstream provider's rate limit metadata into standardized IETF headers:

ratelimit-limit: The maximum number of requests permitted in the current window.
ratelimit-remaining: The number of requests remaining in the current window.
ratelimit-reset: The time at which the current rate limit window resets.

Approach	Pros	Cons
Platform absorbs 429s	Simpler client code	Unpredictable latency, hidden queue depths, no visibility into remaining quota
Platform passes 429s with normalized headers	Full client control, predictable behavior, auditable	Requires client-side retry logic

This architectural decision gives you full control. Your engineering team can implement exponential backoff, circuit breakers, or custom queuing logic that fits your exact system architecture. A practical client-side handler looks like this:

async function fetchWithBackoff(url, options, maxRetries = 3) {
  for (let attempt = 0; attempt <= maxRetries; attempt++) {
    const response = await fetch(url, options);
    
    if (response.status === 429) {
      const resetEpoch = response.headers.get('ratelimit-reset');
      // Calculate exact wait time based on upstream reset, or fallback to exponential
      const waitMs = resetEpoch
        ? (parseInt(resetEpoch) * 1000) - Date.now()
        : Math.pow(2, attempt) * 1000;
      
      console.log(`Rate limit hit. Retrying in ${waitMs}ms`);
      await new Promise(resolve => setTimeout(resolve, Math.max(waitMs, 1000)));
      continue;
    }
    
    return response;
  }
  throw new Error('Rate limit exceeded after max retries');
}

The ratelimit-reset header tells you exactly when the upstream provider's quota resets. No guessing. No exponential backoff when the reset is 2 seconds away.

Choosing the Right Multi-Category Unified API for 2026

When evaluating a replacement for Finch, you are really choosing between architectural patterns. Each has real trade-offs:

Cached (Store-and-Sync)

Platforms like Merge.dev (which we've covered in our Merge.dev migration guide) position themselves as leading multi-category unified APIs. However, they utilize a cached, store-and-sync architecture. They constantly poll the upstream APIs, pull your customers' data into their own databases, normalize it, and serve it to you from their cache. While this provides fast read times, it introduces massive security risks. You are copying your customers' most sensitive data—employee salaries, performance reviews, and PII—into a third-party vendor's database. This creates a massive compliance liability for enterprise deals (SOC 2, HIPAA, GDPR). If your unified API provider suffers a breach, your customers' data is compromised.

Real-Time Pass-Through (Zero Data Retention)

Platforms like Apideck (see our guide on migrating from Apideck) and Truto utilize a real-time pass-through architecture. When you request data, the platform translates the request, fetches the data directly from the upstream API, normalizes it in memory, and passes it to your application. Truto ensures zero data retention. Customer payloads are never written to disk. This architecture allows you to pass enterprise security reviews immediately, as you are not introducing a new sub-processor for sensitive PII. The trade-off is higher latency (every call hits the upstream API) and dependency on upstream availability.

Hybrid

Some platforms let you choose per-resource or per-customer. This adds flexibility but also severe configuration complexity.

For teams migrating away from Finch, here is the evaluation framework that matters:

Criterion	Why It Matters for Finch Migration
Category coverage	Does the platform cover HRIS and CRM, ATS, accounting, ticketing? The whole point is avoiding multi-vendor sprawl.
Credential portability	Can you import existing OAuth tokens? Does the platform support bringing your own OAuth apps?
Declarative extensibility	Can you add custom fields, custom resources, or override field mappings without writing code?
Rate limit transparency	Does the platform give you raw 429 headers, or does it silently absorb and retry?
Data retention posture	Does the platform store your customers' data, or pass through in real time?

The global SaaS market is expanding rapidly, and your customers' tech stacks are only getting more complex. A multi-category platform that can handle HRIS, CRM, ATS, accounting, and ticketing from a single integration point is not a convenience—it is a competitive requirement.

The Migration Playbook: What to Do Monday Morning

Here is the honest sequence for an engineering leader evaluating this migration:

Audit your integration surface area: List every Finch connection, grouped by provider and auth type. Flag which ones use your OAuth apps vs. Finch's managed apps.
Map your 12-month product roadmap: If CRM, ATS, or accounting integrations are on the roadmap, the migration math starts favoring consolidation. Multiplied across categories, the $50k-$200k per-integration maintenance budget evaporates fast.
Negotiate credential access: If you do not own your OAuth apps, start the conversation with Finch's team now. Register your own apps with each provider going forward.
Run a proof-of-concept with one provider: Pick BambooHR or Gusto, export the credentials, import them into your target platform, build the declarative JSONata mapping, and validate the output against Finch's responses.
Shadow, validate, flip: Once confident in the mapping and credential portability, run shadow traffic for two weeks, then cut over.

The entire migration for a typical team with 50-100 connected accounts should take 2-4 weeks of focused engineering time. That is a fraction of the cost of building and maintaining a second (and third) integration vendor relationship.

Stop letting your integration infrastructure dictate your product strategy. Migrating away from a single-vertical API does not require burning political capital with your customers. By exporting your OAuth state, importing it into a generic credential context, and mimicking your legacy schemas with declarative mappings, you can execute a silent migration and unblock your product roadmap.