Resources/The Agent API Atlas/Productivity/Aha!

Everything an AI agent can do with the Aha! API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints45

API versionv1

Last updated23 June 2026

Orientation

How the Aha! API works.

The Aha! API is how an app or AI agent works with an Aha! account: listing and creating features, capturing ideas from customer feedback, organizing initiatives and releases, and updating goals and to-dos. Access is granted through an API key or an OAuth token, each tied to one user, and a call can reach exactly what that user can reach, because Aha! has no separate per-method permissions. Aha! can also push events to a webhook when a record is created, updated, or destroyed.

45Endpoints

12Capability groups

21Read

24Write

0Permissions

Authentication

Every call needs a token sent as 'Authorization: Bearer ', against the account's own host at {account}.aha.io. Two token types exist: an API key generated in the Aha! interface, tied to one user and account and surviving password changes, and an OAuth 2.0 token obtained through the authorization code or implicit flow once a user authorizes a registered application. OAuth 2.0 is the preferred route because it avoids sharing Aha! credentials with an external application. The two are used identically once issued.

Permissions

Aha! does not use granular, per-endpoint API scopes. A key or OAuth token inherits the access of the user it belongs to, so a call can read or change anything that user can read or change in the Aha! interface, across the workspaces they are a member of. There is no way to narrow a single token to, for example, only features or only read access; the boundary is the user's own role and workspace membership. This is why each endpoint below lists no permission token, and why a governing layer in front of the API matters.

Versioning

The REST API is served under one major version, v1, carried in the path at {account}.aha.io/api/v1. Aha! adds new record types, endpoints, and fields to v1 over time rather than publishing dated, breaking versions, so an integration written against v1 continues to work as the surface grows. There is no version header to pin.

Data model

The API is resource-oriented JSON over HTTPS, served per account at {account}.aha.io/api/v1. The core records are products (workspaces), goals, initiatives, releases, epics, features, requirements, ideas, to-dos, comments, and custom fields, and they nest: requirements belong to features, features to releases or epics, and releases to products. Lists are paginated with total_records, total_pages, and current_page fields, and an activity webhook can push record changes as they happen.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Aha! determines what it can reach. There are a few routes, each carried by an API key or OAuth token that is tied to one user, and each call runs with that user's own access.

Ways to connect

REST API

The REST API answers per account at {account}.aha.io/api/v1, where {account} is the customer's own subdomain. It is served under one major version, v1, and returns JSON over HTTPS.

Best forConnecting an app or AI agent to Aha!.

Governed byAn API key or OAuth token tied to one user, carrying that user's full access.

Docs ↗

MCP server (Model Context Protocol)

Aha! publishes a first-party MCP server at https://{account}.aha.io/api/v1/mcp, available across the Aha! suite. It lets an AI assistant read, search, analyze, create, and update records the connected user can access, but it cannot delete records. Admins enable it and set view or edit access under the account's AI controls settings.

Best forConnecting an AI assistant to Aha! through the Model Context Protocol.

Governed byThe connected user's own access, set by admins in AI controls.

Docs ↗

Activity webhook

An activity webhook posts a JSON audit payload to a registered URL whenever a record is created, updated, or destroyed. It is configured at the account or workspace level and filtered by record type and field, and it sends only the fields that changed.

Best forReceiving record changes without polling.

Governed byThe webhook configuration and callback URL set in account or workspace settings.

Docs ↗

Authentication

OAuth 2.0

A user authorizes a registered application through the authorization code flow at {account}.aha.io/oauth/authorize, and the application exchanges the code at {account}.aha.io/oauth/token for a token to call the API on that user's behalf. Aha! recommends OAuth 2.0 because the application never sees the user's Aha! credentials. The token carries the user's full access; there are no granular scopes.

TokenOAuth 2.0 access token

Best forActing on behalf of a user without sharing credentials

Docs ↗

API key

An API key is generated in the Aha! interface, tied to one user and account, and keeps working even after that user changes their password. It is sent the same way as an OAuth token, as a Bearer token, and inherits the user's full access. There are no granular scopes.

TokenPersonal API key

Best forQuick scripts and single-user integrations

0 endpoints

Receive an activity webhook that posts record create, update, and destroy events to a registered URL.

Configuring a webhook changes what data leaves the account.

View endpoints →

Endpoint reference

Every Aha! API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Features List, read, create, update, and delete features, update their custom fields, and convert a feature to an epic.6
GET	`/api/v1/features`	List features, optionally filtered by release, product, epic, goal, initiative, workflow status, or custom field.	read	—	Current
Aha! has no per-endpoint API scopes. The token reaches every feature the user can see in the workspaces they belong to. Acts onfeature Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/features/{id}`	Get a specific feature by its reference number or id.	read	—	Current
Aha! has no per-endpoint API scopes. Access follows the user's own view permission for the feature. Acts onfeature Permission (capability)None required VersionAvailable since the API’s base version Webhook event`feature-updated` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/releases/{release_id}/features`	Create a feature within a release.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to edit the target release in the Aha! interface. Acts onfeature Permission (capability)None required VersionAvailable since the API’s base version Webhook event`feature-created` Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/api/v1/features/{id}`	Update a feature, including its name, description, status, epic, goals, release, score, tags, or watchers.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to edit the feature. Acts onfeature Permission (capability)None required VersionAvailable since the API’s base version Webhook event`feature-updated` Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/api/v1/features/{id}/custom_fields`	Update a feature's custom field values.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to edit the feature. Acts onfeature Permission (capability)None required VersionAvailable since the API’s base version Webhook event`feature-updated` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/api/v1/features/{id}`	Delete a feature.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to delete the feature; this removes it permanently. Acts onfeature Permission (capability)None required VersionAvailable since the API’s base version Webhook event`feature-destroyed` Rate limitStandard limits apply SourceOfficial documentation ↗
Ideas List and search ideas in a product, read a single idea, and create an idea in an ideas portal.3
GET	`/api/v1/products/{product_id}/ideas`	List ideas in a product, with filters such as a search term.	read	—	Current
Aha! has no per-endpoint API scopes. The token reaches ideas in products the user can access. Acts onidea Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/ideas/{id}`	Get a specific idea by its reference number or id.	read	—	Current
Aha! has no per-endpoint API scopes. Access follows the user's own view permission for the idea. Acts onidea Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/portals/{portal_id}/ideas`	Create an idea in a specific ideas portal.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to submit ideas to the target portal. Acts onidea Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Initiatives List, read, create, update, and delete strategic initiatives.5
GET	`/api/v1/initiatives`	List initiatives, optionally filtered by goal, product, workflow status, or custom field.	read	—	Current
Aha! has no per-endpoint API scopes. The token reaches initiatives the user can see. Acts oninitiative Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/initiatives/{id}`	Get a specific initiative.	read	—	Current
Aha! has no per-endpoint API scopes. Access follows the user's own view permission. Acts oninitiative Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/products/{product_id}/initiatives`	Create an initiative in a product.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to edit the product's strategy. Acts oninitiative Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/api/v1/initiatives/{id}`	Update an initiative.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to edit the initiative. Acts oninitiative Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/api/v1/initiatives/{id}`	Delete an initiative.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to delete the initiative; this removes it permanently. Acts oninitiative Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Releases List, read, create, update, and delete releases in a product.5
GET	`/api/v1/products/{product_id}/releases`	List releases in a product.	read	—	Current
Aha! has no per-endpoint API scopes. The token reaches releases in products the user can access. Acts onrelease Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/releases/{id}`	Get a specific release.	read	—	Current
Aha! has no per-endpoint API scopes. Access follows the user's own view permission. Acts onrelease Permission (capability)None required VersionAvailable since the API’s base version Webhook event`release-updated` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/products/{product_id}/releases`	Create a release in a product.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to edit the product. Acts onrelease Permission (capability)None required VersionAvailable since the API’s base version Webhook event`release-created` Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/api/v1/releases/{id}`	Update a release.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to edit the release. Acts onrelease Permission (capability)None required VersionAvailable since the API’s base version Webhook event`release-updated` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/api/v1/releases/{id}`	Delete a release.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to delete the release; this removes it permanently. Acts onrelease Permission (capability)None required VersionAvailable since the API’s base version Webhook event`release-destroyed` Rate limitStandard limits apply SourceOfficial documentation ↗
Epics List, read, create, update, and delete epics.5
GET	`/api/v1/epics`	List epics, optionally filtered by release, product, goal, initiative, tag, assignee, workflow status, or custom field.	read	—	Current
Aha! has no per-endpoint API scopes. The token reaches epics the user can see. Acts onepic Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/epics/{id}`	Get a specific epic.	read	—	Current
Aha! has no per-endpoint API scopes. Access follows the user's own view permission. Acts onepic Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/releases/{release_id}/epics`	Create an epic in a release.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to edit the target release. Acts onepic Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/api/v1/epics/{id}`	Update an epic.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to edit the epic. Acts onepic Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/api/v1/epics/{id}`	Delete an epic.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to delete the epic; this removes it permanently. Acts onepic Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Requirements Read, create, update, and delete the requirements that belong to a feature.5
GET	`/api/v1/features/{feature_id}/requirements`	List the requirements that belong to a feature.	read	—	Current
Aha! has no per-endpoint API scopes. The token reaches requirements on features the user can see. Acts onrequirement Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/requirements/{id}`	Get a specific requirement.	read	—	Current
Aha! has no per-endpoint API scopes. Access follows the user's own view permission. Acts onrequirement Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/features/{feature_id}/requirements`	Create a requirement on a feature.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to edit the parent feature. Acts onrequirement Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/api/v1/requirements/{id}`	Update a requirement.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to edit the requirement. Acts onrequirement Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/api/v1/requirements/{id}`	Delete a requirement.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to delete the requirement; this removes it permanently. Acts onrequirement Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Goals List, read, create, update, and delete goals (strategic imperatives).5
GET	`/api/v1/goals`	List goals across the account.	read	—	Current
Aha! has no per-endpoint API scopes. The token reaches goals the user can see. Acts ongoal Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/goals/{id}`	Get a specific goal.	read	—	Current
Aha! has no per-endpoint API scopes. Access follows the user's own view permission. Acts ongoal Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/products/{product_id}/goals`	Create a goal in a product.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to edit the product's strategy. Acts ongoal Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/api/v1/goals/{id}`	Update a goal.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to edit the goal. Acts ongoal Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/api/v1/goals/{id}`	Delete a goal.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to delete the goal; this removes it permanently. Acts ongoal Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Products List the products (workspaces) in an account and read a single product.2
GET	`/api/v1/products`	List the products (workspaces) in the account.	read	—	Current
Aha! has no per-endpoint API scopes. The token reaches products the user is a member of. Acts onproduct Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/products/{id}`	Get a specific product.	read	—	Current
Aha! has no per-endpoint API scopes. Access follows the user's own membership of the product. Acts onproduct Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
To-dos List, read, create, update, and delete to-dos and approvals.5
GET	`/api/v1/to-dos`	List to-dos, optionally filtered by assignee, feature, release, epic, idea, requirement, or product.	read	—	Current
Aha! has no per-endpoint API scopes. The token reaches to-dos the user can see. Acts onto-do Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/to-dos/{id}`	Get a specific to-do.	read	—	Current
Aha! has no per-endpoint API scopes. Access follows the user's own view permission. Acts onto-do Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/features/{feature_id}/to-dos`	Create a to-do associated with a record, such as a feature.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to edit the associated record. Acts onto-do Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/api/v1/to-dos/{id}`	Update a to-do, including its status to mark it complete.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to edit the to-do. Acts onto-do Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/api/v1/to-dos/{id}`	Delete a to-do.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to delete the to-do; this removes it permanently. Acts onto-do Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Comments Read and create comments on a feature, idea, requirement, release, goal, epic, or initiative.2
POST	`/api/v1/features/{feature_id}/comments`	Create a comment on a feature.	write	—	Current
Aha! has no per-endpoint API scopes. The user must be able to comment on the feature. Comments can also be created on epics, requirements, ideas, initiatives, goals, releases, release phases, and to-dos. Acts oncomment Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/features/{feature_id}/comments`	List the comments on a feature.	read	—	Current
Aha! has no per-endpoint API scopes. Access follows the user's own view permission for the feature. Acts oncomment Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Custom fields List the custom fields defined in the account and the options for a custom field.2
GET	`/api/v1/custom_fields`	List all custom fields defined in the account.	read	—	Current
Aha! has no per-endpoint API scopes. Custom fields are defined by record type and shared across all workspaces in the account. Acts oncustom field Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v1/custom_fields/{key}/custom_field_options`	List the options for a custom field that has a choice list or tags.	read	—	Current
Aha! has no per-endpoint API scopes. Returns the available options for fields such as choice lists and tags. Acts oncustom field Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Aha! can notify an app or AI agent when a record changes, instead of the app repeatedly asking. An activity webhook posts a JSON payload to a registered URL whenever a record is created, updated, or destroyed.

Event	What it signals	Triggered by
`create (feature)`	Fires when a feature is created. The activity webhook sends an audit payload with the action, the feature id, the user, and the changed fields.	`/api/v1/releases/{release_id}/features`
`update (feature)`	Fires when a feature is updated. The payload carries only the fields that changed, not the whole record.	`/api/v1/features/{id}` `/api/v1/features/{id}/custom_fields`
`destroy (feature)`	Fires when a feature is deleted.	`/api/v1/features/{id}`
`create (release)`	Fires when a release is created.	`/api/v1/products/{product_id}/releases`
`update (release)`	Fires when a release is updated, carrying only the changed fields.	`/api/v1/releases/{id}`
`destroy (release)`	Fires when a release is deleted.	`/api/v1/releases/{id}`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Aha! limits how fast an app or AI agent can call through a per-account quota, counted across every key on the account, with the current state returned in response headers and an over-limit request answered with a 429.

Request rate

Aha! caps requests per account, not per key, so several keys or users on the same account share one quota. The ceilings are up to 300 requests per minute and up to 20 requests per second; exceeding either in its window returns a 429. The response carries X-Ratelimit-Limit, X-Ratelimit-Remaining, and X-Ratelimit-Reset headers, where X-Ratelimit-Reset is the UTC unix time the limit clears and the request can safely be retried. Aha! also asks that each request send a descriptive User-Agent header with a way to contact the developer, so it can reach the client if it sees a problem.

Pagination

List endpoints return a pagination object with total_records, total_pages, and current_page. The page is chosen with the page query parameter and its size with per_page, which defaults to 30 records and tops out at 200.

Request size

Requests and responses are JSON. There is no single documented overall payload size limit; large result sets are split across pages of at most 200 records each.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
400	`Bad Request`	The request is malformed, such as an invalid parameter or body.	Correct the request structure and resend.
403	`Forbidden`	The authentication information is incorrect: a missing, wrong, or revoked token, or a token that does not belong to the account's host.	Check the Authorization header and that the token is valid for {account}.aha.io.
404	`Not Found`	The record does not exist, or the user behind the token cannot see it.	Confirm the path and id, and that the user has access to the record.
429	`Too Many Requests`	A rate limit was exceeded: more than 300 requests in a minute or more than 20 in a second, counted per account.	Wait until the X-Ratelimit-Reset unix time, then retry.
500	`Internal Server Error`	An unexpected error occurred on the Aha! side while handling the request.	Retry after a short delay; if it persists, contact Aha! support.
504	`Gateway Timeout`	The request took too long for Aha! to complete.	Narrow the request, such as paging smaller result sets, and retry.

Versioning & freshness

Version history.

The Aha! REST API is served under a single major version, v1, in the path. New record types and fields are added to v1 without minting a new version string, so an integration built on v1 keeps working as the API grows.

Version history

What changed, and when

Latest versionv1

2026-05-20Feature update

First-party MCP server launched

Aha! launched its own MCP (Model Context Protocol) server across the Aha! suite, served on the account's host at {account}.aha.io/api/v1/mcp. It lets an AI assistant read, search, analyze, create, and update records the connected user can access, governed by AI controls in account settings, and it cannot delete records. This added a new connection route on top of the existing v1 REST API without changing the REST surface. Announced 20 May 2026.

What changed

Added a first-party MCP server at {account}.aha.io/api/v1/mcp
Exposed read, search, create, and update over MCP, with delete excluded
Access governed per connection through the account's AI controls settings

v1Current version

Single major version, additive changes

The Aha! REST API is served under one major version, v1, carried in the path at {account}.aha.io/api/v1. Aha! adds new record types, endpoints, and fields to v1 over time rather than publishing dated, breaking versions, so an integration written against v1 keeps working as the surface grows. There is no version header to pin and no separate version timeline published.

What changed

All endpoints served under the v1 path on the account's own host
New record types and fields added to v1 without a new version string
API keys and OAuth 2.0 tokens both inherit the user's full access, with no granular scopes

There is one current major version, v1; changes are additive rather than dated breaking versions.

Aha! API documentation ↗

Questions

Aha! API, answered.

Does an Aha! API token have scopes I can narrow?+

No. Aha! has no granular, per-endpoint API scopes. An API key or OAuth 2.0 token is tied to one user and inherits that user's full access, so it can read or change anything that user can in the Aha! interface, limited only by their role and which workspaces they belong to. There is no built-in way to restrict a single token to, say, read-only or to features alone. To enforce least privilege, the access has to be governed in front of the API, which is what Bollard AI does.

API key or OAuth 2.0, which should I use?+

OAuth 2.0 is the preferred route, because the external application never sees the user's Aha! credentials. A user authorizes a registered application through the authorization code or implicit flow, and the application receives a token to call the API on that user's behalf. An API key is simpler to start with, generated in the Aha! interface and tied to one user and account, and it keeps working even after that user changes their password. Both are sent the same way, as a Bearer token.

What are the rate limits?+

Up to 300 requests per minute and up to 20 requests per second, counted per account rather than per key, so every key and user on the account draws from the same quota. Going over either limit in its window returns a 429. The X-Ratelimit-Limit, X-Ratelimit-Remaining, and X-Ratelimit-Reset response headers report the current state, and X-Ratelimit-Reset gives the UTC unix time the limit clears so a retry can be timed.

How do I receive changes instead of polling?+

Aha! offers an activity webhook. A receiver URL is registered at the account or workspace level, and Aha! sends a POST with a JSON audit payload whenever a record is created, updated, or destroyed. The payload names the action (create, update, or destroy), the record type and id, the user, and only the fields that changed, not the whole record. By default delivery waits five minutes to batch activity, though an immediate-delivery option is available.

Does Aha! have an official MCP server for AI agents?+

Yes. Aha! publishes a first-party MCP (Model Context Protocol) server at https://{account}.aha.io/api/v1/mcp, available across the Aha! suite. It lets an AI assistant read, search, analyze, create, and update records the connected user has permission for, but it cannot delete records. Admins enable it and set view or edit access under the account's AI controls settings, and it runs with the connected user's own access, the same boundary as the REST API.

What does a 403 mean on the Aha! API?+

A 403 means the authentication information is incorrect, such as a missing, wrong, or revoked token. A 400 means the request itself is malformed, a 404 means the record was not found or the user cannot see it, a 429 means a rate limit was hit, and a 500 or 504 is a server-side error or timeout. For a 403, check the Authorization header and that the token is still valid for the account's host.

What is Bollard AI?

Control what every AI agent can do in Aha!.

Bollard AI sits between a team's AI agents and Aha!. Grant each agent exactly the access it needs, read or write, record type by record type, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Aha! key that inherits a full user's reach.
Denied by default, so an agent reaches only the record types that have been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Aha! access in Bollard Browse all APIs →

Aha!

Roadmap Agent

Read features and releases ResourceOffReadFull use

Create ideas from feedback ActionOffReadFull use

Delete features ActionOffReadFull use

Per-agent access, set in Bollard AI, not in Aha!

How the Aha! API works.

Connection & authentication methods.

REST API

MCP server (Model Context Protocol)

Activity webhook

OAuth 2.0

API key

What an AI agent can do in Aha!.

Features

Ideas

Initiatives

Releases

Epics

Requirements

Goals

Products

To-dos

Comments

Custom fields

Webhooks

Every Aha! API method.

Features

Ideas

Initiatives

Releases

Epics

Requirements

Goals

Products

To-dos

Comments

Custom fields

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Aha! API, answered.

More productivity API guides for agents

Shortcut

Miro

Canny

Coda

Notion

ClickUp

Control what every AI agent can do in Aha!.