Resources/The Agent API Atlas/Productivity/Canny

Everything an AI agent can do with the Canny API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints37

API versionv1

Last updated23 June 2026

Orientation

How the Canny API works.

The Canny API is how an app or AI agent works with a Canny feedback portal: listing and creating posts, changing a post's status, casting and removing votes, and reading or leaving comments. Access is granted through a single account-level secret API key sent with each request, and that key carries no per-resource permissions, so anything it can reach, it can reach in full. Canny can also push events to a registered URL when a post, vote, or comment is created.

37Endpoints

9Capability groups

16Read

21Write

0Permissions

Authentication

Canny authenticates every call with one secret API key, found on the account's API and Webhooks settings page. The key is sent as the apiKey field inside the POST request body, alongside the call's other parameters. It is a server-side secret and must never appear in client code. There is no OAuth flow and no separate per-user token.

Permissions

The Canny API key is account-level and has no granular permission model: it carries no per-resource or per-method scopes, so any method the key can reach, it can reach in full, from reading posts to deleting users and companies. There is no way inside Canny to issue a read-only key or to scope a key to one board. The capability column is therefore blank for every method, and narrowing what an agent can do has to happen outside Canny, in a layer that sits in front of the key.

Versioning

Canny serves a stable v1 API and has begun adding a v2 namespace for a few list methods, like comments and companies, that use cursor pagination. It does not pin a dated version per account or send a version header, so an integration calls v1 or v2 paths directly. New methods are added over time rather than through breaking dated releases.

Data model

Canny is organized around feedback in a portal. Boards hold posts, posts collect votes and comments, and posts are filed by category and labeled with tags. Users are the people who post and vote, and companies group those users into customer accounts. Almost every method is a POST that takes a JSON body and returns JSON, including reads, because the secret key travels in the body. State changes, like a new post, vote, or comment, can be pushed to a webhook.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Canny determines what it can reach. There is a route for making calls and a route for receiving events, and each is governed by the secret API key behind it.

Ways to connect

REST API

The REST API answers at https://canny.io/api/v1, with a few list methods in a newer https://canny.io/api/v2 namespace. Almost every method is a POST that takes a JSON body, including reads like list and retrieve, because the secret API key travels in that body. Each method returns JSON.

Best forConnecting an app or AI agent to Canny.

Governed byThe single account-level secret API key.

Docs ↗

Webhooks

Canny POSTs an event to a URL registered on the API and Webhooks settings page when a post is created, a vote is added, or a comment is left. The receiver verifies the request signature to confirm it came from Canny. This lets an integration react to portal activity without polling.

Best forReceiving Canny events at an app or AI agent.

Governed byThe webhook signature on each delivery.

Docs ↗

Authentication

Secret API key

Canny authenticates every call with one secret API key, found on the company's API and Webhooks settings page. The key is sent as the apiKey field in the POST body. It is account-level: it carries no per-resource or per-method permissions, so any method it can call, it can call in full. It must be kept on a server and never exposed in client code.

TokenSecret API key (apiKey in the request body)

Best forServer-side access to a Canny account.

Docs ↗

Capability map

What an AI agent can do in Canny.

The Canny API is split into areas an agent can act on, like posts, votes, comments, boards, and users. Each area has its own methods, and writes in some areas change feedback voters and customers can see, or remove their accounts.

Posts

11 endpoints

List and read posts, create a post, update it, change its status, board, or category, merge posts, add and remove tags, and delete a post.

Writes here change real feedback voters and teammates can see.

View endpoints →

Boards

2 endpoints

List the boards in a feedback portal and read a single board.

These methods read board data.

View endpoints →

Votes

4 endpoints

List and read votes, cast a vote on a post for a user, and remove a vote.

Writes here change a post's vote count on behalf of a user.

View endpoints →

Comments

4 endpoints

List and read comments, create a comment on a post, and delete a comment.

Writes here add or remove comments voters can see.

View endpoints →

Users

4 endpoints

List and read users, create or update a user, and delete a user.

Writes here change or remove the accounts of real people.

View endpoints →

Companies

3 endpoints

List companies, update a company's details, and delete a company.

Writes here change or remove customer-account records.

View endpoints →

Status changes

1 endpoint

List the history of status changes across posts.

This method reads the record of past status changes.

View endpoints →

Endpoint reference

Every Canny API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Posts List and read posts, create a post, update it, change its status, board, or category, merge posts, add and remove tags, and delete a post.11
POST	`/api/v1/posts/list`	List posts, filtered by board, author, status, tag, or search query, and sorted.	read	—	Current
The Canny API key is account-level and carries no per-method scopes; any call this key can make, it can make. Read-only call. Acts onpost Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/posts/retrieve`	Retrieve a single post by its id or urlName.	read	—	Current
Read-only. The path is POST even though it retrieves data, because the key travels in the request body. Acts onpost Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/posts/create`	Create a post on a board, authored by a given user.	write	—	Current
Creates feedback visible in the portal. The key has no granular scope to narrow this. Acts onpost Permission (capability)None required VersionAvailable since the API’s base version Webhook event`post-created` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/posts/update`	Update a post's title, details, or other fields.	write	—	Current
Changes feedback voters can see. Acts onpost Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/posts/change_status`	Change a post's status, like open, planned, in progress, or complete, optionally notifying voters.	write	—	Current
Setting a post to its current status returns the post but fires no side effects, like notifications or activity entries. shouldNotifyVoters controls whether voters are emailed. Acts onpost Permission (capability)None required VersionAvailable since the API’s base version Webhook event`post-status-changed` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/posts/change_board`	Move a post to a different board.	write	—	Current
Changes where the feedback appears. Acts onpost Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/posts/change_category`	Set or clear a post's category.	write	—	Current
Changes how the post is filed on its board. Acts onpost Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/posts/merge`	Merge one post into another, combining their votes.	write	—	Current
Merging moves votes and is not a simple undo. Acts onpost Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/posts/add_tag`	Add a tag to a post.	write	—	Current
Changes how the post is labeled. Acts onpost Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/posts/remove_tag`	Remove a tag from a post.	write	—	Current
Changes how the post is labeled. Acts onpost Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/posts/delete`	Delete a post.	write	—	Current
Removes the post and its feedback. The key has no scope to block this on its own. Acts onpost Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Boards List the boards in a feedback portal and read a single board.2
POST	`/api/v1/boards/list`	List all the boards in a feedback portal.	read	—	Current
Read-only. Acts onboard Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/boards/retrieve`	Retrieve a single board by its id.	read	—	Current
Read-only. Acts onboard Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Votes List and read votes, cast a vote on a post for a user, and remove a vote.4
POST	`/api/v1/votes/list`	List votes, filtered by board, post, or user.	read	—	Current
Read-only. Acts onvote Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/votes/retrieve`	Retrieve a single vote by its id.	read	—	Current
Read-only. Acts onvote Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/votes/create`	Cast a vote on a post on behalf of a user.	write	—	Current
Votes on a post in a named user's name, changing its vote count. Acts onvote Permission (capability)None required VersionAvailable since the API’s base version Webhook event`vote-created` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/votes/delete`	Remove a user's vote from a post.	write	—	Current
Lowers a post's vote count by removing a vote. Acts onvote Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Comments List and read comments, create a comment on a post, and delete a comment.4
POST	`/api/v1/comments/list`	List comments, filtered by board, post, or author.	read	—	Current
Read-only. A cursor-paginated v2 variant is also offered at /api/v2/comments/list. Acts oncomment Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/comments/retrieve`	Retrieve a single comment by its id.	read	—	Current
Read-only. Acts oncomment Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/comments/create`	Create a comment on a post, authored by a given user.	write	—	Current
Adds a comment voters can see on the post. Acts oncomment Permission (capability)None required VersionAvailable since the API’s base version Webhook event`comment-created` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/comments/delete`	Delete a comment.	write	—	Current
Removes a comment from the post. Acts oncomment Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Categories List and read categories, create a category on a board, and delete one.4
POST	`/api/v1/categories/list`	List the categories on a board.	read	—	Current
Read-only. Acts oncategory Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/categories/retrieve`	Retrieve a single category by its id.	read	—	Current
Read-only. Acts oncategory Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/categories/create`	Create a category on a board.	write	—	Current
Changes how a board organizes feedback. Acts oncategory Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/categories/delete`	Delete a category that has no subcategories.	write	—	Current
Removes a category from a board. Acts oncategory Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Tags List and read tags, create a tag, and delete one.4
POST	`/api/v1/tags/list`	List the tags in a feedback portal.	read	—	Current
Read-only. Acts ontag Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/tags/retrieve`	Retrieve a single tag by its id.	read	—	Current
Read-only. Acts ontag Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/tags/create`	Create a tag on a board.	write	—	Current
Adds a tag teammates can apply to posts. Acts ontag Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/tags/delete`	Delete a tag.	write	—	Current
Removes the tag and unlinks it from posts. Acts ontag Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Users List and read users, create or update a user, and delete a user.4
POST	`/api/v1/users/list`	List the users in a feedback portal.	read	—	Current
Read-only. Returns the people who have accounts, including names and email addresses. Acts onuser Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/users/retrieve`	Retrieve a single user by id, email, or the app's own userID.	read	—	Current
Read-only. Returns a person's profile, including their email address. Acts onuser Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/users/create_or_update`	Create a user, or update an existing one matched by id or email.	write	—	Current
Creates or edits the account of a real person, including their name and email. Acts onuser Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/users/delete`	Delete a user.	write	—	Current
Removes a person's account. The account-level key has no scope to block this on its own. Acts onuser Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Companies List companies, update a company's details, and delete a company.3
POST	`/api/v2/companies/list`	List companies, paginated with a cursor.	read	—	Current
Read-only. This list method lives in the newer v2 namespace and uses cursor pagination. Acts oncompany Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/companies/update`	Create or update a company's details, like its name, monthly spend, and custom fields.	write	—	Current
Changes a customer-account record used to weight feedback. Acts oncompany Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v1/companies/delete`	Delete a company.	write	—	Current
Removes a customer-account record. Acts oncompany Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Status changes List the history of status changes across posts.1
POST	`/api/v1/status_changes/list`	List the history of status changes across posts, filtered by board.	read	—	Current
Read-only. Returns the record of which posts changed status, when, and to what. Acts onstatus change Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Canny can notify an app or AI agent when something happens in a feedback portal, like a post being created, a vote being added, or a comment being left. It posts the event to a registered URL, so an integration learns about activity without polling.

Event	What it signals	Triggered by
`New post`	Fires when a new post is created on a board, whether through the portal or the API.	`/api/v1/posts/create`
`Post status changed`	Fires when a post's status changes, like moving to planned, in progress, or complete.	`/api/v1/posts/change_status`
`New vote`	Fires when a vote is added to a post.	`/api/v1/votes/create`
`New comment`	Fires when a comment is left on a post.	`/api/v1/comments/create`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Canny limits how fast an app or AI agent can call, against the single account-level API key, and returns an error once a request runs too often.

Request rate

Canny meters requests against the single account-level API key and returns an error once calls arrive too quickly, so a high-volume job should pace itself rather than burst. The reference does not publish an exact requests-per-minute number, and a throttled request comes back as an HTTP 429 with the standard advice to back off and retry. Because one key serves the whole account, every integration and agent sharing it draws on the same allowance.

Pagination

List methods page in one of two ways. The v1 methods use skip-based pagination, with a limit for the page size and a skip offset to move through results. The newer v2 list methods, like comments and companies, use cursor-based pagination instead, where the response returns a cursor to pass into the next request. A list method returns a hasMore-style signal so a caller knows when to stop.

Request size

Responses are JSON. A single list page is capped per method, and some list methods cap the total results they will return, such as a maximum around 10,000 categories. There is no separate documented request-body size limit across the whole API.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
400	`error field in body`	The request was rejected, for example a missing or invalid parameter like an unknown postID. Canny returns a JSON body with an error field describing the problem, such as {"error":"invalid postID"}.	Read the error field, correct the named parameter, and resend.
401	`invalid apiKey`	The secret API key is missing or invalid, so the request is not authenticated.	Send a valid apiKey from the API and Webhooks settings page in the request body.
429	`rate limit`	Requests against the API key arrived too quickly and were throttled.	Back off and retry with exponential backoff, honoring any Retry-After header before resending.
500	`server error`	An error on Canny's side, which is uncommon.	Retry after a short wait, and contact Canny support if it persists.

Versioning & freshness

Version history.

Canny serves a stable v1 API and has begun adding a v2 namespace for a few list methods that use cursor pagination. It does not pin dated versions per account.

Version history

What changed, and when

Latest versionv1

v1Current version

Stable v1 API, with a growing v2 namespace

Canny serves a stable v1 REST API where almost every method is a POST that takes the secret API key in its JSON body. It does not pin a dated version per account or send a version header. A newer v2 namespace has been added for a few list methods, like comments and companies, that use cursor-based pagination, while v1 list methods use skip-based pagination. New methods are added over time rather than through breaking dated releases.

What changed

Stable v1 methods cover posts, boards, votes, comments, categories, tags, users, companies, and status changes.
A v2 namespace adds cursor-paginated list methods for comments and companies.
Webhooks deliver new post, vote, comment, and status-change events to a registered URL.

An integration calls the v1 or v2 path directly; there is no version header to pin.

Canny API reference ↗

Questions

Canny API, answered.

How does authentication work, and why is even a read a POST?+

Every Canny call carries the account's secret API key as the apiKey field in the request body. Because the key lives in the body rather than a header or query string, the API uses POST for almost every method, including list and retrieve reads. So a call like /api/v1/posts/list is a POST even though it only reads. The key is found on the API and Webhooks settings page and must stay on a server.

Can I give an agent read-only access, or limit it to one board?+

Not within Canny. The API key is account-level with no granular scopes: it cannot be made read-only, and it cannot be limited to a single board or resource. Whatever the key can do, anyone holding it can do, including deleting posts, users, and companies. To restrict an agent to, say, reading posts on one board, the limit has to be enforced outside Canny, in a layer that holds the key and filters each call.

What are the rate limits?+

Canny throttles requests made against the API key and returns an HTTP 429 once calls arrive too quickly. The reference does not publish an exact requests-per-minute figure, so a high-volume job should pace itself, back off on a 429, and honor any Retry-After header before retrying. Because one key serves the whole account, every integration sharing it draws on the same allowance.

How do I receive events instead of polling?+

Canny supports webhooks. A receiver URL is registered on the API and Webhooks settings page, and Canny POSTs an event to it when a post is created, a vote is added, or a comment is left. Each delivery carries a signature the receiver checks to confirm the request came from Canny. This is more efficient than repeatedly polling the list methods.

How does pagination work?+

It depends on the method. The v1 list methods use skip-based pagination, with a limit for the page size and a skip offset to move forward. The newer v2 list methods, like comments and companies, use cursor-based pagination, returning a cursor to pass into the next request. A list response signals whether more results remain so a caller knows when to stop.

What does an error look like?+

A failed call returns a JSON body with an error field describing the problem, for example {"error":"invalid postID"} when a parameter is wrong. A missing or invalid key fails authentication, and going too fast returns a 429. A successful delete or update typically returns a short success response rather than the full object.

What is Bollard AI?

Control what every AI agent can do in Canny.

Bollard AI sits between a team's AI agents and Canny. Grant each agent exactly the access it needs, read or write, action by action, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Canny key.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Canny access in Bollard Browse all APIs →

Canny

Feedback Agent

Read posts and votes ResourceOffReadFull use

Change post status ActionOffReadFull use

Delete users ActionOffReadFull use

Per-agent access, set in Bollard AI, not in Canny

How the Canny API works.

Connection & authentication methods.

REST API

Webhooks

Secret API key

What an AI agent can do in Canny.

Posts

Boards

Votes

Comments

Categories

Tags

Users

Companies

Status changes

Every Canny API method.

Posts

Boards

Votes

Comments

Categories

Tags

Users

Companies

Status changes

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Canny API, answered.

More productivity API guides for agents

Shortcut

Aha!

Miro

Coda

Notion

ClickUp

Control what every AI agent can do in Canny.