API Reference
The Stellary REST API lets you programmatically manage organizations, workspaces, projects, boards, cards, and strategic pilotage. All endpoints return JSON.
Base URL: http://localhost:3001 (self-hosted) or your deployment URL.
Authentication
Stellary supports two authentication methods. Both use the Authorization header with a Bearer token:
Authorization: Bearer <token>JWT Tokens
Obtained by calling POST /auth/login or POST /auth/register. JWTs expire after 7 days by default (configurable via JWT_EXPIRES_IN).
Personal Access Tokens (PAT)
Created via POST /api-tokens. PATs support scoped permissions and optional expiration. The full token is only returned at creation — store it securely.
Both token types work with all endpoints. The backend tries JWT validation first, then PAT lookup.
Authorization Hierarchy
Bearer Token validated (JWT or PAT) ↓OrgAccessGuard → checks user is a member of :orgSlug ↓WorkspaceAccessGuard → checks user is a member of :wsSlug ↓Endpoint handlerError Handling
All errors return a consistent JSON structure:
{ "statusCode": 400, "message": "Validation failed", "error": "Bad Request"}| Code | Meaning | When |
|---|---|---|
400 | Bad Request | Validation failure, missing fields |
401 | Unauthorized | Invalid / expired / missing token |
403 | Forbidden | Insufficient role or permissions |
404 | Not Found | Resource doesn't exist or not accessible |
409 | Conflict | Duplicate entry, invalid state transition |
500 | Internal Error | Server error |
Auth
User registration, login, and profile management.
/auth/registerCreate a new account. Returns a JWT and user object. Automatically creates a personal organization and workspace.
emailstringrequiredValid email addresspasswordstringrequired8-128 charactersnamestringDisplay name, max 100 charscurl -X POST http://localhost:3001/auth/register \ -H "Content-Type: application/json" \ -d '{ "email": "user@example.com", "password": "secure-pass-123", "name": "Jane Doe"}'{ "access_token": "eyJhbGciOiJIUzI1NiIs...", "user": { "id": "665f1a2b3c4d5e6f7a8b9c0d", "email": "user@example.com", "name": "Jane Doe" }}/auth/loginAuthenticate and receive a JWT.
emailstringrequiredAccount emailpasswordstringrequiredAccount passwordcurl -X POST http://localhost:3001/auth/login \ -H "Content-Type: application/json" \ -d '{ "email": "user@example.com", "password": "secure-pass-123"}'{ "access_token": "eyJhbGciOiJIUzI1NiIs...", "user": { "id": "665f1a2b3c4d5e6f7a8b9c0d", "email": "user@example.com", "name": "Jane Doe", "pilotageRole": "owner" }}/auth/meGet the current authenticated user's profile.
curl http://localhost:3001/auth/me \ -H "Authorization: Bearer YOUR_TOKEN"{ "user": { "id": "665f1a2b3c4d5e6f7a8b9c0d", "email": "user@example.com", "name": "Jane Doe", "pilotageRole": "owner" }}/auth/meUpdate the current user's profile.
namestringMax 100 characterscurl -X PATCH http://localhost:3001/auth/me \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "name": "Jane Smith"}'/auth/change-passwordChange the current user's password. Requires the current password for verification.
currentPasswordstringrequiredCurrent passwordnewPasswordstringrequired8-128 characterscurl -X POST http://localhost:3001/auth/change-password \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "currentPassword": "old-password", "newPassword": "new-secure-pass"}'Organizations
Organizations are the top-level container. They hold workspaces and members.
/organizationsCreate a new organization. The creator becomes the owner.
namestringrequiredOrganization nameslugstringrequired2-60 chars, lowercase, alphanumeric + hyphenscurl -X POST http://localhost:3001/organizations \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "name": "Acme Corp", "slug": "acme-corp"}'{ "id": "665f1a2b...", "name": "Acme Corp", "slug": "acme-corp", "ownerId": "665f1a2b...", "createdAt": "2026-01-15T10:30:00Z"}/organizationsList all organizations the current user is a member of.
curl http://localhost:3001/organizations \ -H "Authorization: Bearer YOUR_TOKEN"[ { "id": "665f1a2b...", "name": "Acme Corp", "slug": "acme-corp", "myRole": "owner" }]/organizations/:orgSlugGet a single organization by slug. Requires membership.
orgSlugstringrequiredcurl http://localhost:3001/organizations/acme \ -H "Authorization: Bearer YOUR_TOKEN"{ "id": "665f1a2b...", "name": "Acme Corp", "slug": "acme-corp", "ownerId": "665f1a2b...", "myRole": "owner"}/organizations/:orgSlugUpdate organization details.
orgSlugstringrequiredcurl -X PATCH http://localhost:3001/organizations/acme \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "name": "Acme Corporation"}'/organizations/:orgSlugDelete an organization and all its workspaces, projects, and data. Owner only.
orgSlugstringrequiredcurl -X DELETE http://localhost:3001/organizations/acme \ -H "Authorization: Bearer YOUR_TOKEN"Organization Members
/organizations/:orgSlug/membersList all members of an organization with their roles.
orgSlugstringrequiredcurl http://localhost:3001/organizations/acme/members \ -H "Authorization: Bearer YOUR_TOKEN"[ { "userId": "665f1a2b...", "role": "owner", "email": "owner@acme.com" }, { "userId": "665f1b3c...", "role": "member", "email": "dev@acme.com" }]/organizations/:orgSlug/membersAdd a member to the organization by email.
orgSlugstringrequiredemailstringrequiredEmail of the user to addrolestringrequired"admin" or "member"curl -X POST http://localhost:3001/organizations/acme/members \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "email": "new-member@acme.com", "role": "member"}'/organizations/:orgSlug/members/:userIdUpdate a member's role. Cannot change the owner.
orgSlugstringrequireduserIdstringrequiredcurl -X PATCH http://localhost:3001/organizations/acme/members/USER_ID \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "role": "admin"}'/organizations/:orgSlug/members/:userIdRemove a member from the organization.
orgSlugstringrequireduserIdstringrequiredcurl -X DELETE http://localhost:3001/organizations/acme/members/USER_ID \ -H "Authorization: Bearer YOUR_TOKEN"Workspaces
Workspaces live inside organizations and contain projects. Each workspace has its own member list and roles.
/orgs/:orgSlug/workspacesCreate a new workspace within an organization.
orgSlugstringrequirednamestringrequiredWorkspace nameslugstringrequired2-60 chars, lowercasecurl -X POST http://localhost:3001/orgs/acme/workspaces \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "name": "Engineering", "slug": "engineering"}'/orgs/:orgSlug/workspacesList all workspaces in the organization that the user has access to.
orgSlugstringrequiredcurl http://localhost:3001/orgs/acme/workspaces \ -H "Authorization: Bearer YOUR_TOKEN"/orgs/:orgSlug/workspaces/:wsSlugGet a single workspace by slug.
orgSlugstringrequiredwsSlugstringrequiredcurl http://localhost:3001/orgs/acme/workspaces/eng \ -H "Authorization: Bearer YOUR_TOKEN"{ "id": "665f2d4e...", "name": "Engineering", "slug": "engineering", "organizationId": "665f1a2b...", "ownerId": "665f1a2b...", "isPersonal": false, "myRole": "admin", "myPilotageRole": "owner", "createdAt": "2026-01-15T10:30:00Z", "updatedAt": "2026-01-15T10:30:00Z"}Workspace Members
/orgs/:orgSlug/workspaces/:wsSlug/members/inviteSend an email invitation to join the workspace. Creates a unique invitation token.
orgSlugstringrequiredwsSlugstringrequiredemailstringrequiredEmail to inviterolestring"admin" or "member"curl -X POST http://localhost:3001/orgs/acme/workspaces/eng/members/invite \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "email": "teammate@company.com", "role": "member"}'/invitations/:token/acceptAccept a workspace invitation using the token from the invitation email.
tokenstringrequiredcurl -X POST http://localhost:3001/invitations/INVITE_TOKEN/accept \ -H "Authorization: Bearer YOUR_TOKEN"/orgs/:orgSlug/workspaces/:wsSlug/members/:userIdUpdate a member's workspace role and/or pilotage role.
orgSlugstringrequiredwsSlugstringrequireduserIdstringrequiredrolestring"admin" or "member"pilotageRolestring"viewer", "reviewer", or "owner"curl -X PATCH http://localhost:3001/orgs/acme/workspaces/eng/members/USER_ID \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "role": "admin", "pilotageRole": "reviewer"}'Projects
Projects contain kanban boards with columns and cards. All project endpoints are scoped to a workspace.
/orgs/:orgSlug/workspaces/:wsSlug/projectsCreate a new project in the workspace.
orgSlugstringrequiredwsSlugstringrequirednamestringrequiredProject namecurl -X POST http://localhost:3001/orgs/acme/workspaces/eng/projects \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "name": "Q1 Launch"}'{ "id": "665f2d4e...", "name": "Q1 Launch", "workspaceId": "665f2d4e...", "createdAt": "2026-03-10T10:00:00Z"}/orgs/:orgSlug/workspaces/:wsSlug/projectsList all projects in the workspace.
orgSlugstringrequiredwsSlugstringrequiredcurl http://localhost:3001/orgs/acme/workspaces/eng/projects \ -H "Authorization: Bearer YOUR_TOKEN"/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectIdGet a single project by ID.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcurl http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID \ -H "Authorization: Bearer YOUR_TOKEN"/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectIdUpdate project details.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcurl -X PATCH http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "name": "Q1 Launch v2"}'/orgs/:orgSlug/workspaces/:wsSlug/projects/portfolioGet a portfolio summary of all projects with aggregated metrics.
orgSlugstringrequiredwsSlugstringrequiredcurl http://localhost:3001/orgs/acme/workspaces/eng/projects/portfolio \ -H "Authorization: Bearer YOUR_TOKEN"/orgs/:orgSlug/workspaces/:wsSlug/projects/templatesList available project templates.
orgSlugstringrequiredwsSlugstringrequiredcurl http://localhost:3001/orgs/acme/workspaces/eng/projects/templates \ -H "Authorization: Bearer YOUR_TOKEN"Project Import & Export
/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/exportExport a project as a complete JSON snapshot (columns, cards, metadata).
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcurl http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/export \ -H "Authorization: Bearer YOUR_TOKEN"/orgs/:orgSlug/workspaces/:wsSlug/projects/importImport a project from a JSON structure. Supports up to 50 columns and 500 cards.
orgSlugstringrequiredwsSlugstringrequiredcurl -X POST http://localhost:3001/orgs/acme/workspaces/eng/projects/import \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "project": { "name": "Imported" }, "columns": [ { "name": "To Do" }, { "name": "In Progress" }, { "name": "Done" } ], "cards": [ { "title": "First task", "columnIndex": 0, "priority": "medium" } ]}'Project Members
/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/membersList project members.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcurl http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/members \ -H "Authorization: Bearer YOUR_TOKEN"/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/membersAdd a member to the project by email.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcurl -X POST http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/members \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "email": "dev@company.com"}'/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/members/:userIdRemove a member from the project.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequireduserIdstringrequiredcurl -X DELETE http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/members/USER_ID \ -H "Authorization: Bearer YOUR_TOKEN"Columns
Columns define workflow stages on a project board. Each column has a name and an order.
/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/columnsCreate a new column.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcurl -X POST http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/columns \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "name": "In Review"}'/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/columnsList all columns in a project, ordered by position.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcurl http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/columns \ -H "Authorization: Bearer YOUR_TOKEN"[ { "id": "665f3e5f...", "name": "To Do", "projectId": "665f2d4e...", "order": 0, "createdAt": "2026-01-15T10:30:00Z" }]/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/columns/:columnIdUpdate a column's name or order.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcolumnIdstringrequiredcurl -X PATCH http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/columns/COL_ID \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "name": "Code Review"}'/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/columns/:columnIdDelete a column.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcolumnIdstringrequiredcurl -X DELETE http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/columns/COL_ID \ -H "Authorization: Bearer YOUR_TOKEN"{ "ok": true }Cards
Cards are the core work items. They live in columns and support rich metadata.
/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/cardsList all cards in a project (across all columns).
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcurl http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/cards \ -H "Authorization: Bearer YOUR_TOKEN"[ { "id": "665f4f6a...", "title": "Design API endpoints", "description": "REST routes for billing module", "columnId": "665f3e5f...", "order": 0, "archived": false, "priority": "high", "dueDate": "2026-04-01T00:00:00Z", "assigneeId": "665f1a2b...", "checklist": [ { "_id": "a1b2c3", "title": "List endpoints", "done": true, "order": 0 } ], "commentCount": 3, "attachmentCount": 1 }]/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/columns/:columnId/cardsCreate a card in a specific column.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcolumnIdstringrequiredtitlestringrequired1-500 charactersdescriptionstringMax 5000 charactersprioritystringlow | medium | highstartDatestringISO datedueDatestringISO dateassigneeIdstringMongoId of assigneechecklistarrayMax 100 itemscurl -X POST http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/columns/COL_ID/cards \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "title": "Implement billing API", "description": "See spec in docs", "priority": "high", "dueDate": "2026-04-01", "assigneeId": "665f1a2b...", "checklist": [ { "title": "Setup routes", "done": false, "order": 0 } ]}'/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/cards/:cardIdUpdate any card field. Only include fields you want to change. Set nullable fields to null to clear them.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcardIdstringrequiredcurl -X PATCH http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/cards/CARD_ID \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "title": "Updated title", "columnId": "665f3e5f...", "order": 2, "priority": "medium", "dueDate": null, "archived": true}'/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/cards/:cardIdPermanently delete a card.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcardIdstringrequiredcurl -X DELETE http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/cards/CARD_ID \ -H "Authorization: Bearer YOUR_TOKEN"{ "ok": true }Comments
Comments on cards. Base path includes the project and card IDs.
/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/cards/:cardId/commentsList all comments on a card, ordered by creation date.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcardIdstringrequiredcurl http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/cards/CARD_ID/comments \ -H "Authorization: Bearer YOUR_TOKEN"[ { "id": "665f5a7b...", "cardId": "665f4f6a...", "authorId": "665f1a2b...", "authorName": "Jane Doe", "content": "Spec looks good, let's proceed.", "createdAt": "2026-03-10T14:22:00Z" }]/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/cards/:cardId/commentsPost a comment on a card.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcardIdstringrequiredcontentstringrequired1-2000 characterscurl -X POST http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/cards/CARD_ID/comments \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "content": "What about error handling?"}'/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/cards/:cardId/comments/:commentIdDelete a comment.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcardIdstringrequiredcommentIdstringrequiredcurl -X DELETE http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/cards/CARD_ID/comments/CMT_ID \ -H "Authorization: Bearer YOUR_TOKEN"Attachments
File attachments on cards. Max file size: 10 MB.
/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/cards/:cardId/attachmentsList all attachments on a card.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcardIdstringrequiredcurl http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/cards/CARD_ID/attachments \ -H "Authorization: Bearer YOUR_TOKEN"[ { "id": "665f6b8c...", "cardId": "665f4f6a...", "uploadedBy": "665f1a2b...", "originalName": "api-spec.pdf", "mimeType": "application/pdf", "size": 245760, "createdAt": "2026-03-10T14:30:00Z" }]/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/cards/:cardId/attachmentsUpload a file. Use multipart/form-data with field name 'file'.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcardIdstringrequiredcurl -X POST http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/cards/CARD_ID/attachments \ -H "Authorization: Bearer YOUR_TOKEN" \ -F "file=@./document.pdf"/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/cards/:cardId/attachments/:attachmentIdDownload an attachment. Returns the raw file stream with the correct MIME type.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcardIdstringrequiredattachmentIdstringrequiredcurl http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/cards/CARD_ID/attachments/ATT_ID \ -H "Authorization: Bearer YOUR_TOKEN"/orgs/:orgSlug/workspaces/:wsSlug/projects/:projectId/cards/:cardId/attachments/:attachmentIdDelete an attachment.
orgSlugstringrequiredwsSlugstringrequiredprojectIdstringrequiredcardIdstringrequiredattachmentIdstringrequiredcurl -X DELETE http://localhost:3001/orgs/acme/workspaces/eng/projects/PROJ_ID/cards/CARD_ID/attachments/ATT_ID \ -H "Authorization: Bearer YOUR_TOKEN"Notifications
Activity-based notifications for the current user. Generated automatically when cards are created, updated, moved, assigned, or commented on.
/notificationsList notifications for the current user.
limitnumberMax results (default: 50)unreadOnlystring"true" or "1" to filter unread onlycurl http://localhost:3001/notifications \ -H "Authorization: Bearer YOUR_TOKEN"[ { "id": "665f7c9d...", "userId": "665f1a2b...", "readAt": null, "activity": { "type": "card_moved", "actorId": "665f1b3c...", "meta": { "fromColumn": "To Do", "toColumn": "In Progress" }, "createdAt": "2026-03-10T15:00:00Z" } }]/notifications/countGet unread notification count.
curl http://localhost:3001/notifications/count \ -H "Authorization: Bearer YOUR_TOKEN"{ "count": 12 }/notifications/read-allMark all notifications as read.
curl -X PATCH http://localhost:3001/notifications/read-all \ -H "Authorization: Bearer YOUR_TOKEN"/notifications/:id/readMark a single notification as read.
idstringrequiredcurl -X PATCH http://localhost:3001/notifications/ID/read \ -H "Authorization: Bearer YOUR_TOKEN"Activity Types
| Type | Triggered When |
|---|---|
card_created | A new card is created |
card_updated | Card fields are modified |
card_moved | Card moves to a different column |
card_archived | Card is archived |
card_deleted | Card is permanently deleted |
card_assigned | Card assignee changes |
comment_added | A comment is posted on a card |
member_added | A member joins the project |
member_removed | A member is removed |
Pilotage
The strategic command center. Manages missions, priorities, todos, decisions, documentation, and AI-proposed actions. All endpoints are workspace-scoped.
/orgs/:orgSlug/workspaces/:wsSlug/pilotage/stateGet the complete pilotage state for a workspace. Same data exposed to AI agents via MCP's get_pilotage_state tool.
orgSlugstringrequiredwsSlugstringrequiredprofilestringpilotage | execution | revue (default: pilotage)intentstringweekly_review | daily_execution | sprint_planning | context_onlydetailLevelstringminimal | standard | detailed (default: standard)curl http://localhost:3001/orgs/acme/workspaces/eng/pilotage/state \ -H "Authorization: Bearer YOUR_TOKEN"{ "cycle": "v8", "contractVersion": 7, "missions": [ { "id": "m-001", "objective": "Implement billing module", "module": "billing", "status": "in_progress", "blockedReason": null } ], "activePriorities": [...], "todos": [...], "decisions": [...], "activeDocs": [...], "usageContext": { "profile": "pilotage", "role": "owner", "intent": "weekly_review" }}Missions
/orgs/:orgSlug/workspaces/:wsSlug/pilotage/missionsCreate a new mission.
orgSlugstringrequiredwsSlugstringrequiredobjectivestringrequiredMission objectivemodulestringModule namecurl -X POST http://localhost:3001/orgs/acme/workspaces/eng/pilotage/missions \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "objective": "Implement billing module", "module": "billing"}'/orgs/:orgSlug/workspaces/:wsSlug/pilotage/missions/:idUpdate a mission's status or details.
orgSlugstringrequiredwsSlugstringrequiredidstringrequiredstatusstringto_launch | in_progress | blocked | doneblockedReasonstringMax 200 chars, or null to clearcurl -X PATCH http://localhost:3001/orgs/acme/workspaces/eng/pilotage/missions/ID \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "status": "blocked", "blockedReason": "Waiting on API"}'Priorities
/orgs/:orgSlug/workspaces/:wsSlug/pilotage/prioritiesCreate a new priority.
orgSlugstringrequiredwsSlugstringrequiredcurl -X POST http://localhost:3001/orgs/acme/workspaces/eng/pilotage/priorities \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "label": "Ship billing MVP", "module": "billing"}'Todos
/orgs/:orgSlug/workspaces/:wsSlug/pilotage/todosCreate a new todo.
orgSlugstringrequiredwsSlugstringrequiredlabelstringrequiredTodo labelmissionIdstringLink to a missionpriorityIdstringLink to a prioritycurl -X POST http://localhost:3001/orgs/acme/workspaces/eng/pilotage/todos \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "label": "Write Stripe integration tests", "missionId": "m-001", "priorityId": "p-001"}'/orgs/:orgSlug/workspaces/:wsSlug/pilotage/todos/:idUpdate a todo's status.
orgSlugstringrequiredwsSlugstringrequiredidstringrequiredstatusstringtodo | in_progress | blocked | donecurl -X PATCH http://localhost:3001/orgs/acme/workspaces/eng/pilotage/todos/ID \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "status": "done"}'Decisions
/orgs/:orgSlug/workspaces/:wsSlug/pilotage/decisionsRecord a strategic decision.
orgSlugstringrequiredwsSlugstringrequiredtitlestringrequiredDecision titleimpactstringImpact descriptioncurl -X POST http://localhost:3001/orgs/acme/workspaces/eng/pilotage/decisions \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "title": "Use Stripe over custom billing", "impact": "Reduces dev time by 3 weeks, adds 2.9% transaction fee"}'Active Docs
/orgs/:orgSlug/workspaces/:wsSlug/pilotage/docsRegister an active document.
orgSlugstringrequiredwsSlugstringrequiredtitlestringrequiredDocument titleownerstringOwner namesourceTypestringproduct | tech | sprint | opscurl -X POST http://localhost:3001/orgs/acme/workspaces/eng/pilotage/docs \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "title": "Billing API Spec v2", "owner": "Jane Doe", "sourceType": "tech"}'Proposed Actions (AI Review)
/orgs/:orgSlug/workspaces/:wsSlug/pilotage/actions/proposeSubmit an AI-proposed action for human review.
orgSlugstringrequiredwsSlugstringrequiredactionTypestringrequiredMax 100 charsexplanationstringrequiredMax 500 charspayloadobjectOptional context datacurl -X POST http://localhost:3001/orgs/acme/workspaces/eng/pilotage/actions/propose \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "actionType": "move_card", "explanation": "All subtasks complete, move to Done", "payload": { "cardId": "665f4f6a...", "targetColumn": "Done" }}'{ "id": "act-001", "actionType": "move_card", "explanation": "All subtasks complete, move to Done", "status": "suggested", "payload": { "cardId": "665f4f6a...", "targetColumn": "Done" }, "createdAt": "2026-03-10T15:30:00Z"}/orgs/:orgSlug/workspaces/:wsSlug/pilotage/actionsList proposed actions, optionally filtered by status.
orgSlugstringrequiredwsSlugstringrequiredstatusstringsuggested | approved | rejected | appliedcurl http://localhost:3001/orgs/acme/workspaces/eng/pilotage/actions \ -H "Authorization: Bearer YOUR_TOKEN"/orgs/:orgSlug/workspaces/:wsSlug/pilotage/actions/:id/reviewApprove or reject a proposed action.
orgSlugstringrequiredwsSlugstringrequiredidstringrequiredapprovedbooleanrequiredtrue to approve, false to rejectreasonstringOptional, max 200 charscurl -X POST http://localhost:3001/orgs/acme/workspaces/eng/pilotage/actions/ID/review \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "approved": true, "reason": "Looks correct"}'/orgs/:orgSlug/workspaces/:wsSlug/pilotage/actions/:id/applyApply an approved action. Only works on actions with status 'approved'.
orgSlugstringrequiredwsSlugstringrequiredidstringrequiredcurl -X POST http://localhost:3001/orgs/acme/workspaces/eng/pilotage/actions/ID/apply \ -H "Authorization: Bearer YOUR_TOKEN"API Tokens
Manage Personal Access Tokens for programmatic API access. These endpoints require JWT authentication (not PAT) to prevent token escalation.
/api-tokensCreate a new token. The full token value is only returned once.
namestringrequiredMax 100 charsscopesarrayDefaults to all scopesexpiresAtstringISO date or null for no expirycurl -X POST http://localhost:3001/api-tokens \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "name": "CI Pipeline", "scopes": [ "projects:read", "projects:write" ], "expiresAt": "2027-01-01T00:00:00Z"}'{ "id": "665f8dae...", "token": "synth_a1b2c3d4e5f6...", "name": "CI Pipeline", "prefix": "synth_a1b2", "scopes": ["projects:read", "projects:write"], "expiresAt": "2027-01-01T00:00:00Z", "createdAt": "2026-03-10T16:00:00Z"}/api-tokensList all tokens for the current user. Does not include the full token value.
curl http://localhost:3001/api-tokens \ -H "Authorization: Bearer YOUR_TOKEN"[ { "id": "665f8dae...", "name": "CI Pipeline", "prefix": "synth_a1b2", "scopes": ["projects:read", "projects:write"], "expiresAt": "2027-01-01T00:00:00Z", "lastUsedAt": "2026-03-12T09:15:00Z", "createdAt": "2026-03-10T16:00:00Z" }]/api-tokens/:idRevoke a token permanently.
idstringrequiredcurl -X DELETE http://localhost:3001/api-tokens/ID \ -H "Authorization: Bearer YOUR_TOKEN"Available Scopes
| Scope | Grants Access To |
|---|---|
projects:read | Read projects, columns, cards, comments, attachments |
projects:write | Create/update/delete projects, columns, cards, comments, attachments |
pilotage:read | Read pilotage state (missions, priorities, todos, decisions) |
pilotage:write | Create/update missions, todos, decisions; propose actions |
notifications:read | Read and manage notifications |
account:read | Read user profile |
account:write | Update user profile |
Scopes
Scopes are logical work packages or phases within a project. Each scope has its own columns, cards, and views (Kanban, List, Calendar, Roadmap, Stats).
/…/projects/:projectId/scopesCreate a new scope within a project.
projectIdstringrequiredcurl -X POST http://localhost:3001/…/projects/PROJ_ID/scopes \ -H "Authorization: Bearer YOUR_TOKEN"/…/projects/:projectId/scopesList all scopes for a project.
projectIdstringrequiredcurl http://localhost:3001/…/projects/PROJ_ID/scopes \ -H "Authorization: Bearer YOUR_TOKEN"/…/scopes/:scopeIdGet scope details including columns and view configuration.
scopeIdstringrequiredcurl http://localhost:3001/…/scopes/SCOPEID \ -H "Authorization: Bearer YOUR_TOKEN"/…/scopes/:scopeIdUpdate scope name or settings.
scopeIdstringrequiredcurl -X PATCH http://localhost:3001/…/scopes/SCOPEID \ -H "Authorization: Bearer YOUR_TOKEN"/…/scopes/:scopeIdDelete a scope and all its contents.
scopeIdstringrequiredcurl -X DELETE http://localhost:3001/…/scopes/SCOPEID \ -H "Authorization: Bearer YOUR_TOKEN"Scope Views
Each scope supports 5 view types: kanban, list, calendar, roadmap, stats.
/…/scopes/:scopeId/viewsList available views and the currently active view.
scopeIdstringrequiredcurl http://localhost:3001/…/scopes/SCOPEID/views \ -H "Authorization: Bearer YOUR_TOKEN"/…/scopes/:scopeId/viewsSwitch the active view type.
scopeIdstringrequiredcurl -X PATCH http://localhost:3001/…/scopes/SCOPEID/views \ -H "Authorization: Bearer YOUR_TOKEN"Labels
Color-coded tags for categorizing cards. Labels are defined at the project level and can be applied to any card within that project.
/…/projects/:projectId/labelsCreate a new label with a name and color.
projectIdstringrequiredcurl -X POST http://localhost:3001/…/projects/PROJ_ID/labels \ -H "Authorization: Bearer YOUR_TOKEN"/…/projects/:projectId/labelsList all labels for a project.
projectIdstringrequiredcurl http://localhost:3001/…/projects/PROJ_ID/labels \ -H "Authorization: Bearer YOUR_TOKEN"/…/labels/:labelIdUpdate label name or color.
labelIdstringrequiredcurl -X PATCH http://localhost:3001/…/labels/LABELID \ -H "Authorization: Bearer YOUR_TOKEN"/…/labels/:labelIdDelete a label. Removes it from all cards.
labelIdstringrequiredcurl -X DELETE http://localhost:3001/…/labels/LABELID \ -H "Authorization: Bearer YOUR_TOKEN"/…/cards/:cardId/labels/:labelIdAdd a label to a card.
cardIdstringrequiredlabelIdstringrequiredcurl -X POST http://localhost:3001/…/cards/CARD_ID/labels/LABELID \ -H "Authorization: Bearer YOUR_TOKEN"/…/cards/:cardId/labels/:labelIdRemove a label from a card.
cardIdstringrequiredlabelIdstringrequiredcurl -X DELETE http://localhost:3001/…/cards/CARD_ID/labels/LABELID \ -H "Authorization: Bearer YOUR_TOKEN"Custom Fields
Project-level custom metadata fields. Supported types: text, number, select, multi-select, date, boolean.
/…/projects/:projectId/custom-fieldsCreate a custom field definition. For select/multi-select, include options array.
projectIdstringrequiredcurl -X POST http://localhost:3001/…/projects/PROJ_ID/custom-fields \ -H "Authorization: Bearer YOUR_TOKEN"/…/projects/:projectId/custom-fieldsList all custom field definitions for a project.
projectIdstringrequiredcurl http://localhost:3001/…/projects/PROJ_ID/custom-fields \ -H "Authorization: Bearer YOUR_TOKEN"/…/custom-fields/:fieldIdUpdate field name, type, or options.
fieldIdstringrequiredcurl -X PATCH http://localhost:3001/…/custom-fields/FIELDID \ -H "Authorization: Bearer YOUR_TOKEN"/…/custom-fields/:fieldIdDelete a custom field. Removes values from all cards.
fieldIdstringrequiredcurl -X DELETE http://localhost:3001/…/custom-fields/FIELDID \ -H "Authorization: Bearer YOUR_TOKEN"/…/cards/:cardId/custom-fieldsSet custom field values for a card. Body is an object mapping fieldId to value.
cardIdstringrequiredcurl -X PATCH http://localhost:3001/…/cards/CARD_ID/custom-fields \ -H "Authorization: Bearer YOUR_TOKEN"Card Relations
Link cards together with typed relationships: blocks / blocked_by, related_to, duplicates, parent_of.
/…/cards/:cardId/relationsCreate a relation between two cards. Body: { targetCardId, type }.
cardIdstringrequiredcurl -X POST http://localhost:3001/…/cards/CARD_ID/relations \ -H "Authorization: Bearer YOUR_TOKEN"/…/cards/:cardId/relationsList all relations for a card.
cardIdstringrequiredcurl http://localhost:3001/…/cards/CARD_ID/relations \ -H "Authorization: Bearer YOUR_TOKEN"/…/relations/:relationIdDelete a relation.
relationIdstringrequiredcurl -X DELETE http://localhost:3001/…/relations/RELATIONID \ -H "Authorization: Bearer YOUR_TOKEN"Checklists
Checklist items within a card. Progress percentage is computed automatically and displayed on the card.
/…/cards/:cardId/checklistAdd a checklist item. Body: { title }.
cardIdstringrequiredcurl -X POST http://localhost:3001/…/cards/CARD_ID/checklist \ -H "Authorization: Bearer YOUR_TOKEN"/…/cards/:cardId/checklist/:itemIdUpdate a checklist item (toggle checked, rename).
cardIdstringrequireditemIdstringrequiredcurl -X PATCH http://localhost:3001/…/cards/CARD_ID/checklist/ITEMID \ -H "Authorization: Bearer YOUR_TOKEN"/…/cards/:cardId/checklist/:itemIdDelete a checklist item.
cardIdstringrequireditemIdstringrequiredcurl -X DELETE http://localhost:3001/…/cards/CARD_ID/checklist/ITEMID \ -H "Authorization: Bearer YOUR_TOKEN"Documents
Knowledge base with 8 document types: document, spec, brief, adr, note, reference, template, spreadsheet. Documents can be scoped to organization, workspace, project, or scope level.
/…/documentsCreate a document. Body includes title, docType, content (TipTap JSON), and optional parentId.
curl -X POST http://localhost:3001/…/documents \ -H "Authorization: Bearer YOUR_TOKEN"/…/documentsList documents. Filter by docType, context scope, or parentId.
curl http://localhost:3001/…/documents \ -H "Authorization: Bearer YOUR_TOKEN"/…/documents/:documentIdGet full document with content.
documentIdstringrequiredcurl http://localhost:3001/…/documents/DOCUMENTID \ -H "Authorization: Bearer YOUR_TOKEN"/…/documents/:documentIdUpdate document title, content, or metadata. Auto-saves supported.
documentIdstringrequiredcurl -X PATCH http://localhost:3001/…/documents/DOCUMENTID \ -H "Authorization: Bearer YOUR_TOKEN"/…/documents/:documentIdDelete a document.
documentIdstringrequiredcurl -X DELETE http://localhost:3001/…/documents/DOCUMENTID \ -H "Authorization: Bearer YOUR_TOKEN"Review Workflow
Documents can be submitted for review. Statuses: draft → pending_review → approved / changes_requested.
/…/documents/:documentId/submit-reviewSubmit a document for review.
documentIdstringrequiredcurl -X POST http://localhost:3001/…/documents/DOCUMENTID/submit-review \ -H "Authorization: Bearer YOUR_TOKEN"/…/documents/:documentId/reviewReview a document. Body: { status, notes }.
documentIdstringrequiredcurl -X POST http://localhost:3001/…/documents/DOCUMENTID/review \ -H "Authorization: Bearer YOUR_TOKEN"Agents
Workspace-scoped AI agents with configurable tools and autonomy levels. Three modes: supervised (propose + approve), autonomous (execute directly), approval (batch review).
/…/agentsCreate an agent. Body: name, slug, autonomyMode, tools whitelist, rate limits.
curl -X POST http://localhost:3001/…/agents \ -H "Authorization: Bearer YOUR_TOKEN"/…/agentsList all agents in the workspace.
curl http://localhost:3001/…/agents \ -H "Authorization: Bearer YOUR_TOKEN"/…/agents/:agentIdGet agent details and configuration.
agentIdstringrequiredcurl http://localhost:3001/…/agents/AGENTID \ -H "Authorization: Bearer YOUR_TOKEN"/…/agents/:agentIdUpdate agent configuration.
agentIdstringrequiredcurl -X PATCH http://localhost:3001/…/agents/AGENTID \ -H "Authorization: Bearer YOUR_TOKEN"/…/agents/:agentIdDelete an agent.
agentIdstringrequiredcurl -X DELETE http://localhost:3001/…/agents/AGENTID \ -H "Authorization: Bearer YOUR_TOKEN"Missions
Card-level AI tasks with real-time SSE streaming. Lifecycle: queued → running → awaiting_approval → completed / failed / cancelled.
/…/agents/:agentId/missionsCreate a mission on a card. Body: { cardId, prompt }.
agentIdstringrequiredcurl -X POST http://localhost:3001/…/agents/AGENTID/missions \ -H "Authorization: Bearer YOUR_TOKEN"/…/agents/:agentId/missionsList missions for an agent.
agentIdstringrequiredcurl http://localhost:3001/…/agents/AGENTID/missions \ -H "Authorization: Bearer YOUR_TOKEN"/…/missions/:missionIdGet mission details and progress.
missionIdstringrequiredcurl http://localhost:3001/…/missions/MISSIONID \ -H "Authorization: Bearer YOUR_TOKEN"/…/missions/:missionId/cancelCancel a running mission.
missionIdstringrequiredcurl -X POST http://localhost:3001/…/missions/MISSIONID/cancel \ -H "Authorization: Bearer YOUR_TOKEN"Proposals
Supervised agents propose changes before execution. Each proposal contains the action to perform and can be approved or rejected.
/…/missions/:missionId/proposalsList proposals for a mission.
missionIdstringrequiredcurl http://localhost:3001/…/missions/MISSIONID/proposals \ -H "Authorization: Bearer YOUR_TOKEN"/…/proposals/:proposalId/approveApprove a proposal. The action will be executed.
proposalIdstringrequiredcurl -X POST http://localhost:3001/…/proposals/PROPOSALID/approve \ -H "Authorization: Bearer YOUR_TOKEN"/…/proposals/:proposalId/rejectReject a proposal. Body: { reason }.
proposalIdstringrequiredcurl -X POST http://localhost:3001/…/proposals/PROPOSALID/reject \ -H "Authorization: Bearer YOUR_TOKEN"Automations
Project-level automation rules. 7 trigger types: task_moved, task_created, checklist_complete, due_date_reached, task_status_changed, task_assigned, task_added_to_board.
/…/automationsCreate an automation rule. Body: trigger, conditions (JSON), action.
curl -X POST http://localhost:3001/…/automations \ -H "Authorization: Bearer YOUR_TOKEN"/…/automationsList all automation rules for a project.
curl http://localhost:3001/…/automations \ -H "Authorization: Bearer YOUR_TOKEN"/…/automations/:ruleIdGet automation rule details.
ruleIdstringrequiredcurl http://localhost:3001/…/automations/RULEID \ -H "Authorization: Bearer YOUR_TOKEN"/…/automations/:ruleIdUpdate an automation rule.
ruleIdstringrequiredcurl -X PATCH http://localhost:3001/…/automations/RULEID \ -H "Authorization: Bearer YOUR_TOKEN"/…/automations/:ruleIdDelete an automation rule.
ruleIdstringrequiredcurl -X DELETE http://localhost:3001/…/automations/RULEID \ -H "Authorization: Bearer YOUR_TOKEN"/…/automations/:ruleId/toggleEnable or disable an automation rule.
ruleIdstringrequiredcurl -X PATCH http://localhost:3001/…/automations/RULEID/toggle \ -H "Authorization: Bearer YOUR_TOKEN"Execution Traces
Every automation execution is logged with actor, target, timestamp, and result (success/failure).
/…/automations/:ruleId/tracesList execution traces for an automation rule.
ruleIdstringrequiredcurl http://localhost:3001/…/automations/RULEID/traces \ -H "Authorization: Bearer YOUR_TOKEN"AI Project Wizard
Multi-stage AI-guided project creation. Stages: Framing → Refinement (adaptive questions, readiness score) → Roadmap generation → Execution (phases become columns, deliverables become cards).
/…/project-draftsCreate a new project draft. Body: { name, description, contextDocuments }.
curl -X POST http://localhost:3001/…/project-drafts \ -H "Authorization: Bearer YOUR_TOKEN"/…/project-draftsList all drafts for the workspace.
curl http://localhost:3001/…/project-drafts \ -H "Authorization: Bearer YOUR_TOKEN"/…/project-drafts/:draftIdGet draft details including current stage and questions.
draftIdstringrequiredcurl http://localhost:3001/…/project-drafts/DRAFTID \ -H "Authorization: Bearer YOUR_TOKEN"/…/project-drafts/:draftId/refineSubmit answers to refinement questions. Returns next questions or readiness score.
draftIdstringrequiredcurl -X POST http://localhost:3001/…/project-drafts/DRAFTID/refine \ -H "Authorization: Bearer YOUR_TOKEN"/…/project-drafts/:draftId/generate-roadmapGenerate a phased roadmap from the refinement data.
draftIdstringrequiredcurl -X POST http://localhost:3001/…/project-drafts/DRAFTID/generate-roadmap \ -H "Authorization: Bearer YOUR_TOKEN"/…/project-drafts/:draftId/executeExecute the draft: create the project with phases as columns and deliverables as cards.
draftIdstringrequiredcurl -X POST http://localhost:3001/…/project-drafts/DRAFTID/execute \ -H "Authorization: Bearer YOUR_TOKEN"/…/project-drafts/:draftIdDelete a draft.
draftIdstringrequiredcurl -X DELETE http://localhost:3001/…/project-drafts/DRAFTID \ -H "Authorization: Bearer YOUR_TOKEN"For AI integration via MCP, see the MCP Integration guide. For a guided walkthrough, see Getting Started.