API
CardBoard exposes four integration surfaces with different audiences and stability commitments.
REST API
Section titled “REST API”A small, stable REST surface over five resources. Authentication is HTTP Basic — username is your email, password is your API key — and your organization must have API access enabled.
| Path | Verbs |
|---|---|
/api/maps | GET, POST |
/api/maps/:id | GET, PUT, DELETE |
/api/maps/:map_id/cards | GET, POST |
/api/maps/:map_id/cards/:id | GET, PUT, DELETE |
/api/maps/:map_id/cards/:id/badge | GET |
/api/maps/:map_id/cards/:card_id/card_comments | POST, PATCH |
/api/users, /api/users/:id | GET |
Outcomes, dividers, connections, reactions, and stickers are not exposed via REST today —
use the MCP server for those. Results are paginated (default 10 per page; page_length=0
returns everything).
MCP server
Section titled “MCP server”For AI agents (Claude, ChatGPT, Gemini) to read maps and propose changes. Authenticated with
OAuth 2.0 (mcp scope) at POST /mcp. The server exposes read tools (list_maps,
get_map, get_cards) and proposal tools (propose_card, propose_connection,
propose_outcome, propose_comment). Proposals follow a ghost model — they don’t commit
until a user accepts them — and the agent holds workspace-level access pinned as a
collaborator.
Directing an agent requires workspace member identity. The agent acts in your name, so the same accountability rule as tracker writes applies — a guest can’t drive one.
Marketplace, extension & connector APIs
Section titled “Marketplace, extension & connector APIs”Specialized endpoints used by CardBoard’s own integrations (the Atlassian/Microsoft marketplace apps, the ADO extension UI, and connector status checks). Not intended for general third-party use.
Webhooks
Section titled “Webhooks”CardBoard receives inbound webhooks — Stripe (billing) and tracker events from ADO and Jira. Outbound webhooks (CardBoard notifying your systems of card or comment events) are not available today.