REST API

Every exposes a scoped REST API for scripts and integrations: everything under /api/v1 on your Every site, authenticated with OAuth2 or a personal access token.

Authentication

Two ways in, both producing a bearer token for the Authorization header:

  • Personal access tokens are the quick path for your own scripts. Create one under Settings → API Tokens: name it, tick the scopes it needs, and copy the token (it's shown once). Tokens expire after six months and can be revoked any time from the same page.
  • OAuth2 (authorization code with PKCE) is for apps acting on behalf of users. Users see a consent screen listing the requested scopes, and every action is attributed to the authorising user. Access tokens last 15 days, refresh tokens 30.

There's no shared API key and no service account: all access is a user with scopes, and the API can never see more than that user can.

Scopes

Tokens carry only the scopes you grant, in resource:verb form:

ScopeAllows
user:readView your own profile
users:readView team members
clients:read / clients:createView and create clients
projects:read / projects:createView and create projects
tasks:readView tasks
tasks:createCreate tasks
tasks:updateUpdate tasks, and add comments, attachments, and checklists
time:read / time:writeView time entries; log time and manage timers
task-statuses:readView task statuses
departments:readView departments
reports:readView retainer health and capacity reports

A reporting script needs nothing beyond :read scopes; a task-creating integration needs exactly tasks:create and no more.

The shape of the API

curl https://your-site.onevery.io/api/v1/tasks?assigned_to_me=1 \
  -H "Authorization: Bearer {token}"

Resources follow REST conventions: GET to list and fetch, POST to create, PATCH to update. The core endpoints cover users, clients, projects, tasks (with comments, attachments, and checklists as sub-resources), departments, task statuses, and time. List endpoints paginate with page and per_page, returning data, links, and meta keys.

Task responses use the same vocabulary as the app: a reference like GO-6, a status with its colour and closed flag, priority, assignees, and so on.

For administrators

  • Third-party OAuth connections a user has approved appear in their Settings → Connected Apps, where they can be revoked per user.
  • A separate admin-only import API (behind its own scope, permission, and feature flag, off by default) exists for one-time data migrations. It writes with raw timestamps and skips notifications and automations. Enable it for the migration, then turn it back off.

Was this page helpful?