--- title: Drata API Integration on Truto slug: drata category: Default canonical: "https://truto.one/integrations/detail/drata/" --- # Drata API Integration on Truto **Category:** Default **Status:** Beta ## Unified APIs ### Unified User Directory API - **Roles** — The Role object represents a role of a User. - **Users** — The User object represents a User. ## MCP-ready AI tools Truto exposes 3 tools for Drata that AI agents can call directly. - **list_all_drata_company_info** — Get company-info in Drata. Returns key fields such as accountId, domain, name, legalName, year, contact info, training/compliance status, connections, addresses, securityReport details, entitlements, and timestamps. - **list_all_drata_users** — List users in Drata. Returns id, entryId, email, firstName, lastName, jobTitle, avatarUrl, drataTermsAgreedAt, createdAt, updatedAt, roles, backgroundChecks, identities, and documents for each user. - **get_single_drata_user_by_id** — Get full details of a specific user in Drata. Requires id. Returns user fields such as id, name, email, and status. ## How it works 1. **Link your customer's Drata account.** Use Truto's frontend SDK; we handle every OAuth and API key flow so you don't need to create the OAuth app. 2. **Authentication is automatic.** Truto refreshes tokens, stores credentials securely, and injects them into every API request. 3. **Call Truto's API to reach Drata.** The Proxy API is a 1-to-1 mapping of the Drata API. 4. **Get a unified response format.** Every response uses a single shape, with cursor-based pagination and data in the `result` field. ## Use cases - **Automate User Access Reviews for SOC 2 Compliance** — Identity governance and IAM platforms can pull Drata's user directory — including roles, identities, and compliance status — to orchestrate quarterly access reviews without manual CSV exports or screenshot gathering. - **Sync Employee Compliance Status into Your Platform** — HR, onboarding, or security awareness training tools can read user-level compliance data from Drata to surface which employees have completed background checks, signed policies, or finished required training — directly inside your product. - **Surface Company-Wide Audit Readiness in Your Dashboard** — GRC, risk management, or MSP platforms can pull company-level compliance posture from Drata so their users see a real-time snapshot of audit health alongside data from other tools, without switching contexts. - **Flag Non-Compliant Users Across Connected Systems** — Security platforms can fetch Drata's user list and cross-reference roles and identity data against actual infrastructure permissions, automatically identifying ghost accounts, over-permissioned users, or employees missing required compliance steps. - **Enrich Incident Response with Personnel Context** — SIEM and incident response tools can look up individual Drata users by ID to pull compliance context — role assignments, background check status, agreed terms — when investigating security events tied to specific employees. ## What you can build - **Compliance-Aware User Directory Sync** — Continuously import Drata users with their roles, identities, and compliance metadata into your platform using the Unified User Directory API so your customers always have a current personnel view. - **Automated Quarterly Access Review Reports** — Pull all Drata users and their role assignments on a schedule, then generate access review reports that auditors can sign off on without manual data gathering. - **Employee Compliance Status Widget** — Embed a per-user compliance summary — background checks, document signatures, Drata terms agreement — directly in your product's employee profile pages by fetching individual users by ID. - **Audit Readiness Dashboard Card** — Display a company-level compliance health indicator sourced from Drata's company info endpoint, giving your users instant visibility into their organization's overall posture. - **Non-Compliant Employee Alert Pipeline** — Compare Drata's user list against your system's records to automatically flag and notify admins about employees who are missing required compliance steps like background checks or policy acknowledgments. ## FAQs ### What operations does the Drata integration support through Truto? The integration currently supports three read operations: listing all company info, listing all users, and fetching a single user by ID. These map to Truto's Unified User Directory API resources (Users, Roles). ### What user data can I pull from Drata via Truto? Each Drata user record includes fields like email, jobTitle, roles, identities, backgroundChecks, documents, and drataTermsAgreedAt — giving you both identity and compliance-specific metadata per employee. ### Does Truto handle authentication with Drata? Yes. Truto manages the full auth flow for Drata. Your end users connect their Drata account through Truto's embedded linking experience, and Truto handles token management and secure credential storage. ### Does Truto handle pagination when listing Drata users? Yes. Truto abstracts away Drata's pagination logic. When you call list_all_drata_users, Truto manages page cursors and rate limits behind the scenes so you receive a complete dataset through a consistent interface. ### Can I write data back to Drata through this integration? The currently available tools are read-only — list company info, list users, and get a user by ID. Write operations are not included in the current tool set. Contact Truto if you need push capabilities. ### How does Drata data map to Truto's Unified User Directory API? Drata users and their role assignments are normalized into Truto's unified Users and Roles resources. This means you can query Drata user data using the same schema you use for other identity providers connected through Truto.