REST API
Every exposes a scoped REST API for scripts and integrations: everything under /api/v1 on your Every site, authenticated with OAuth2 or a personal access token.
Authentication
Two ways in, both producing a bearer token for the Authorization header:
- Personal access tokens are the quick path for your own scripts. Create one under Settings → API Tokens: name it, tick the scopes it needs, and copy the token (it's shown once). Tokens expire after six months and can be revoked any time from the same page.
- OAuth2 (authorization code with PKCE) is for apps acting on behalf of users. Users see a consent screen listing the requested scopes, and every action is attributed to the authorising user. Access tokens last 15 days, refresh tokens 30.
There's no shared API key and no service account: all access is a user with scopes, and the API can never see more than that user can.
Scopes
Tokens carry only the scopes you grant, in resource:verb form:
| Scope | Allows |
|---|---|
user:read | View your own profile |
users:read | View team members |
clients:read / clients:create | View and create clients |
projects:read / projects:create | View and create projects |
tasks:read | View tasks |
tasks:create | Create tasks |
tasks:update | Update tasks, and add comments, attachments, and checklists |
time:read / time:write | View time entries; log time and manage timers |
task-statuses:read | View task statuses |
departments:read | View departments |
reports:read | View retainer health and capacity reports |
A reporting script needs nothing beyond :read scopes; a task-creating integration needs exactly tasks:create and no more.
The shape of the API
curl https://your-site.onevery.io/api/v1/tasks?assigned_to_me=1 \
-H "Authorization: Bearer {token}"
Resources follow REST conventions: GET to list and fetch, POST to create, PATCH to update. The core endpoints cover users, clients, projects, tasks (with comments, attachments, and checklists as sub-resources), departments, task statuses, and time. List endpoints paginate with page and per_page, returning data, links, and meta keys.
Task responses use the same vocabulary as the app: a reference like GO-6, a status with its colour and closed flag, priority, assignees, and so on.
Building an AI-powered integration? You may not need the API at all: the MCP server gives assistants richer, permission aware tools over the same data with no code to write.
For administrators
- Third-party OAuth connections a user has approved appear in their Settings → Connected Apps, where they can be revoked per user.
- A separate admin-only import API (behind its own scope, permission, and feature flag, off by default) exists for one-time data migrations. It writes with raw timestamps and skips notifications and automations. Enable it for the migration, then turn it back off.