API & developers
REST API overview
The REST API surface: OAuth 2.0 + PKCE auth, the typed TypeScript SDK, idempotency keys, and the OpenAPI 3.1 spec.
Last updated
The REST API exposes the same operations the product uses to read and write issues, projects, comments, boards, and more. A machine-readable OpenAPI 3.1 spec describes every endpoint, so you can import it into Postman, Insomnia, or a codegen pipeline. See the Developers section of the marketing site for the live reference.
Authentication
The API authenticates with OAuth 2.0 using PKCE, supporting both public and confidential clients, refresh-token rotation, and granular per-workspace scopes shown to the user at consent time. A token is bound to the tenant boundary of the member who authorized it — RLS still applies to every request it makes.
Idempotency
Write requests accept an idempotency key so a retried request (after a network blip) does not create a duplicate. Send the same key with the same request and you get the original result back rather than a second side effect.
curl -X POST https://planoda.com/api/v1/issues \
-H "Authorization: Bearer $TOKEN" \
-H "Idempotency-Key: 9f1c-...-a3" \
-H "Content-Type: application/json" \
-d '{ "teamKey": "ENG", "title": "Investigate slow board load" }'The typed SDK
The TypeScript SDK ships full request/response types, validators, retries, and idempotency handling so you do not hand-roll any of the above. Prefer it over raw fetch for anything beyond a one-off script.
Related
- Webhooks overviewSubscribe to workspace events with HMAC-signed, verifiable webhook deliveries.
- Importing & migratingMove work in from Linear, Jira, Trello, Asana, and others — with identifiers, state, and history preserved where possible.
- Permissions & RLSTenant isolation enforced in Postgres with row-level security — the same boundary for the UI, the API, integrations, and AI.