Resources/The Agent API Atlas/Productivity/Shortcut

Everything an AI agent can do with the Shortcut API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints57

API versionv3

Last updated23 June 2026

Orientation

How the Shortcut API works.

The Shortcut API is how an app or AI agent works with a Shortcut workspace: reading and searching stories, moving them through a workflow, filing and updating epics, planning iterations, and posting comments. Access is granted through an API token that acts as the workspace member who created it, so a token can do whatever that person can, with no narrower permissions to limit it. A single workspace webhook can also push story and epic changes to an app instead of it having to keep asking.

57Endpoints

12Capability groups

29Read

28Write

0Permissions

Authentication

Every call needs an API token sent in the Shortcut-Token header. A workspace member generates the token in account settings, and the token acts as that member. There is no OAuth for the REST API itself, though the hosted MCP server does use OAuth. A request with no token, or a bad one, returns 401.

Permissions

Shortcut has no per-endpoint scopes. A token inherits the full permissions of the member who created it, so the same token that reads a story can update or delete one, manage epics and iterations, and read every member's name and email. Access cannot be narrowed at the token level, which is where a gateway in front of the API matters: it is the only place to grant an agent read-only or resource-limited access.

Versioning

The API is versioned by a path segment, and v3 is the current version, reached under /api/v3. Changes are backwards compatible, so Shortcut adds new fields and endpoints without breaking existing integrations, and an integration stays on v3 rather than pinning dated versions.

Data model

The API is resource-oriented JSON over HTTPS at https://api.app.shortcut.com/api/v3. The core unit is a story, which lives in a workflow state, can belong to an epic, an iteration, a project, and a team, and carries tasks, comments, labels, and file attachments. Epics group stories toward a larger goal, and a single workspace-level webhook can push story and epic changes.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Shortcut determines what it can reach. There is a route for making calls, a route for receiving events, and a hosted server that exposes Shortcut tools to agents, and each is governed by the token behind it.

Ways to connect

REST API (v3)

The REST API answers at https://api.app.shortcut.com/api/v3. Every call carries a Shortcut-Token header, and requests and responses are JSON, apart from file uploads which use multipart form data.

Best forConnecting an app or AI agent to Shortcut.

Governed byThe API token and the permissions of the member who owns it.

Docs ↗

MCP server (Model Context Protocol)

Shortcut publishes its own MCP server, so an agent can find, create, and update stories, epics, iterations, and docs through the Model Context Protocol. A hosted server connects over OAuth with no token setup, and a local option runs the @shortcut/mcp npm package with a SHORTCUT_API_TOKEN. The source is at github.com/useshortcut/mcp-server-shortcut.

Best forConnecting an AI agent to Shortcut through Model Context Protocol clients.

Governed byThe OAuth grant or the API token behind it.

Docs ↗

Outgoing webhooks

A single outgoing webhook registered on a workspace posts an event to a chosen URL whenever a story or epic is created, updated, or deleted. A Payload-Signature header, an HMAC-SHA-256 hash of the body, confirms the event came from Shortcut.

Best forReceiving workspace changes without polling.

Governed byThe webhook registration and its shared secret.

Docs ↗

Authentication

API token

A workspace member generates an API token in account settings and sends it in the Shortcut-Token header. The token acts as that member, so it can do whatever the member can across the whole workspace, with no narrower per-endpoint scopes to limit it.

TokenShortcut API token

Best forServer-side integrations and scripts

Docs ↗

OAuth (hosted MCP server)

Shortcut's hosted MCP server authenticates an agent over OAuth, so a Model Context Protocol client connects without anyone copying an API token. It is the no-setup route for agents that speak Model Context Protocol.

TokenOAuth grant

Best forAgents connecting through the hosted MCP server

Docs ↗

Capability map

What an AI agent can do in Shortcut.

The Shortcut API is split into areas an agent can act on, like stories, epics, iterations, workflows, and members. A token carries whatever its owner can do across all of these areas, so the same token that reads a story can also delete one.

Stories

9 endpoints

List, search, read, create, update, and delete stories, create them in bulk or from a template, and read a story's history.

Writes here change real story data, and a delete cannot be undone.

View endpoints →

Story comments

4 endpoints

List, read, create, update, and delete comments on a story.

Writes here post or remove real comments visible to the team.

View endpoints →

Tasks

4 endpoints

Read, create, update, and delete the tasks inside a story.

Writes here change a story's task checklist.

View endpoints →

Epics

6 endpoints

List, read, create, update, and delete epics, and list the stories inside an epic.

Writes here change real epic data, and a delete cannot be undone.

View endpoints →

Iterations

6 endpoints

List, read, create, update, and delete iterations, and list the stories in an iteration.

Writes here change real iteration data.

View endpoints →

Workflows

2 endpoints

List the workflows in a workspace and read a single workflow with its states.

These endpoints only read workflow configuration.

View endpoints →

Projects

5 endpoints

List, read, create, update, and delete projects, and list the stories in a project.

Writes here change real project data.

View endpoints →

Members

3 endpoints

List the members of a workspace, read a single member, and read the token owner's own member info.

These endpoints only read member data.

View endpoints →

Labels

6 endpoints

List, read, create, update, and delete labels, and list the stories or epics carrying a label.

Writes here change real label data.

View endpoints →

Teams (Groups)

4 endpoints

List, read, create, and update teams, called groups in the API, and list a team's stories.

Writes here change real team data.

View endpoints →

Files

5 endpoints

Upload, list, read, update, and delete the files attached to stories.

Writes here add or remove real file attachments.

View endpoints →

Search

3 endpoints

Search across the workspace, or search specifically for stories, epics, iterations, objectives, or milestones.

These endpoints only read search results.

View endpoints →

Endpoint reference

Every Shortcut API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Stories List, search, read, create, update, and delete stories, create them in bulk or from a template, and read a story's history.9
GET	`/stories/search`	Search for stories using Shortcut's search operators.	read	—	Current
The path is /api/v3/search/stories. The API token has no per-endpoint scopes, so the token can reach this whenever its owner can. Acts onstory Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/stories/search`	Query stories with a structured filter object instead of a search string.	read	—	Current
A POST that reads rather than writes, taking the query in the request body. The API token has no per-endpoint scopes. Acts onstory Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/stories/{story-public-id}`	Get a single story by its public ID.	read	—	Current
The API token has no per-endpoint scopes, so it can read any story its owner can see. Acts onstory Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/stories`	Create a story.	write	—	Current
Returns 201 on success, or 422 when the body fails validation. The API token has no per-endpoint scopes. Acts onstory Permission (capability)None required VersionAvailable since the API’s base version Webhook event`story-change` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/stories/bulk`	Create multiple stories in one request.	write	—	Current
Counts as a single request against the rate limit while creating many stories. The API token has no per-endpoint scopes. Acts onstory Permission (capability)None required VersionAvailable since the API’s base version Webhook event`story-change` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/stories/from-template`	Create a story from a story template.	write	—	Current
Story templates must be enabled in the workspace. The API token has no per-endpoint scopes. Acts onstory Permission (capability)None required VersionAvailable since the API’s base version Webhook event`story-change` Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/stories/{story-public-id}`	Update a story, including its workflow state, owners, and labels.	write	—	Current
Moving a story between workflow states is done through this endpoint. The API token has no per-endpoint scopes. Acts onstory Permission (capability)None required VersionAvailable since the API’s base version Webhook event`story-change` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/stories/{story-public-id}`	Delete a story.	write	—	Current
A delete cannot be undone. The API token has no per-endpoint scopes, so any token whose owner can delete a story can call this. Acts onstory Permission (capability)None required VersionAvailable since the API’s base version Webhook event`story-change` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/stories/{story-public-id}/history`	List the change history of a story.	read	—	Current
The API token has no per-endpoint scopes. Acts onstory Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Story comments List, read, create, update, and delete comments on a story.4
GET	`/stories/{story-public-id}/comments`	List the comments on a story.	read	—	Current
The API token has no per-endpoint scopes. Acts oncomment Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/stories/{story-public-id}/comments`	Create a comment on a story.	write	—	Current
The comment is attributed to the token owner. The API token has no per-endpoint scopes. Acts oncomment Permission (capability)None required VersionAvailable since the API’s base version Webhook event`story-change` Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/stories/{story-public-id}/comments/{comment-public-id}`	Update a comment on a story.	write	—	Current
The API token has no per-endpoint scopes. Acts oncomment Permission (capability)None required VersionAvailable since the API’s base version Webhook event`story-change` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/stories/{story-public-id}/comments/{comment-public-id}`	Delete a comment on a story.	write	—	Current
The API token has no per-endpoint scopes. Acts oncomment Permission (capability)None required VersionAvailable since the API’s base version Webhook event`story-change` Rate limitStandard limits apply SourceOfficial documentation ↗
Tasks Read, create, update, and delete the tasks inside a story.4
POST	`/stories/{story-public-id}/tasks`	Create a task inside a story.	write	—	Current
Tasks are the checklist items inside a story. The API token has no per-endpoint scopes. Acts ontask Permission (capability)None required VersionAvailable since the API’s base version Webhook event`story-change` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/stories/{story-public-id}/tasks/{task-public-id}`	Get a single task in a story.	read	—	Current
The API token has no per-endpoint scopes. Acts ontask Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/stories/{story-public-id}/tasks/{task-public-id}`	Update a task, including marking it complete.	write	—	Current
Completing a task is done by setting its complete field here. The API token has no per-endpoint scopes. Acts ontask Permission (capability)None required VersionAvailable since the API’s base version Webhook event`story-change` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/stories/{story-public-id}/tasks/{task-public-id}`	Delete a task from a story.	write	—	Current
The API token has no per-endpoint scopes. Acts ontask Permission (capability)None required VersionAvailable since the API’s base version Webhook event`story-change` Rate limitStandard limits apply SourceOfficial documentation ↗
Epics List, read, create, update, and delete epics, and list the stories inside an epic.6
GET	`/epics`	List the epics in a workspace.	read	—	Current
A paginated variant exists at /api/v3/epics/paginated. The API token has no per-endpoint scopes. Acts onepic Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/epics`	Create an epic.	write	—	Current
The API token has no per-endpoint scopes. Acts onepic Permission (capability)None required VersionAvailable since the API’s base version Webhook event`epic-change` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/epics/{epic-public-id}`	Get a single epic.	read	—	Current
The API token has no per-endpoint scopes. Acts onepic Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/epics/{epic-public-id}`	Update an epic.	write	—	Current
The API token has no per-endpoint scopes. Acts onepic Permission (capability)None required VersionAvailable since the API’s base version Webhook event`epic-change` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/epics/{epic-public-id}`	Delete an epic.	write	—	Current
A delete cannot be undone. The API token has no per-endpoint scopes. Acts onepic Permission (capability)None required VersionAvailable since the API’s base version Webhook event`epic-change` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/epics/{epic-public-id}/stories`	List the stories inside an epic.	read	—	Current
The API token has no per-endpoint scopes. Acts onstory Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Iterations List, read, create, update, and delete iterations, and list the stories in an iteration.6
GET	`/iterations`	List the iterations in a workspace.	read	—	Current
The API token has no per-endpoint scopes. Acts oniteration Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/iterations`	Create an iteration.	write	—	Current
Iterations must be enabled in the workspace. The API token has no per-endpoint scopes. Acts oniteration Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/iterations/{iteration-public-id}`	Get a single iteration.	read	—	Current
The API token has no per-endpoint scopes. Acts oniteration Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/iterations/{iteration-public-id}`	Update an iteration.	write	—	Current
The API token has no per-endpoint scopes. Acts oniteration Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/iterations/{iteration-public-id}`	Delete an iteration.	write	—	Current
The API token has no per-endpoint scopes. Acts oniteration Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/iterations/{iteration-public-id}/stories`	List the stories in an iteration.	read	—	Current
The API token has no per-endpoint scopes. Acts onstory Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Workflows List the workflows in a workspace and read a single workflow with its states.2
GET	`/workflows`	List the workflows in a workspace.	read	—	Current
A workflow holds the set of states a story moves through. The API token has no per-endpoint scopes. Acts onworkflow Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/workflows/{workflow-public-id}`	Get a single workflow with its states.	read	—	Current
Use the state IDs returned here when moving a story between states. The API token has no per-endpoint scopes. Acts onworkflow Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Projects List, read, create, update, and delete projects, and list the stories in a project.5
GET	`/projects`	List the projects in a workspace.	read	—	Current
The API token has no per-endpoint scopes. Acts onproject Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/projects`	Create a project.	write	—	Current
The API token has no per-endpoint scopes. Acts onproject Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/projects/{project-public-id}`	Get a single project.	read	—	Current
The API token has no per-endpoint scopes. Acts onproject Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/projects/{project-public-id}`	Update a project.	write	—	Current
The API token has no per-endpoint scopes. Acts onproject Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/projects/{project-public-id}`	Delete a project.	write	—	Current
A delete cannot be undone. The API token has no per-endpoint scopes. Acts onproject Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Members List the members of a workspace, read a single member, and read the token owner's own member info.3
GET	`/members`	List the members of a workspace.	read	—	Current
Returns each member's name, email address, and role. The API token has no per-endpoint scopes. Acts onmember Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/members/{member-public-id}`	Get a single member.	read	—	Current
The API token has no per-endpoint scopes. Acts onmember Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/member`	Get the member info for the token's owner.	read	—	Current
Identifies whose account a token acts as. The API token has no per-endpoint scopes. Acts onmember Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Labels List, read, create, update, and delete labels, and list the stories or epics carrying a label.6
GET	`/labels`	List the labels in a workspace.	read	—	Current
The API token has no per-endpoint scopes. Acts onlabel Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/labels`	Create a label.	write	—	Current
The API token has no per-endpoint scopes. Acts onlabel Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/labels/{label-public-id}`	Get a single label.	read	—	Current
The API token has no per-endpoint scopes. Acts onlabel Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/labels/{label-public-id}`	Update a label.	write	—	Current
The API token has no per-endpoint scopes. Acts onlabel Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/labels/{label-public-id}`	Delete a label.	write	—	Current
Removing a label takes it off every story and epic carrying it. The API token has no per-endpoint scopes. Acts onlabel Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/labels/{label-public-id}/stories`	List the stories carrying a label.	read	—	Current
The API token has no per-endpoint scopes. Acts onstory Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Teams (Groups) List, read, create, and update teams, called groups in the API, and list a team's stories.4
GET	`/groups`	List the teams in a workspace, called groups in the API.	read	—	Current
A group in the API is what the Shortcut app calls a team. The API token has no per-endpoint scopes. Acts ongroup Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/groups`	Create a team.	write	—	Current
The API token has no per-endpoint scopes. Acts ongroup Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/groups/{group-public-id}`	Update a team.	write	—	Current
The API token has no per-endpoint scopes. Acts ongroup Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/groups/{group-public-id}/stories`	List the stories owned by a team.	read	—	Current
The API token has no per-endpoint scopes. Acts onstory Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Files Upload, list, read, update, and delete the files attached to stories.5
POST	`/files`	Upload one or more files and optionally attach them to a story.	write	—	Current
Sent as multipart/form-data rather than JSON. The API token has no per-endpoint scopes. Acts onfile Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/files`	List the uploaded files in a workspace.	read	—	Current
The API token has no per-endpoint scopes. Acts onfile Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/files/{file-public-id}`	Get a single uploaded file's metadata.	read	—	Current
The API token has no per-endpoint scopes. Acts onfile Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/files/{file-public-id}`	Update an uploaded file's details.	write	—	Current
The API token has no per-endpoint scopes. Acts onfile Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/files/{file-public-id}`	Delete an uploaded file.	write	—	Current
The API token has no per-endpoint scopes. Acts onfile Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Search Search across the workspace, or search specifically for stories, epics, iterations, objectives, or milestones.3
GET	`/search`	Search across stories and epics in one request.	read	—	Current
The API token has no per-endpoint scopes. Acts onsearch result Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/search/epics`	Search for epics.	read	—	Current
The API token has no per-endpoint scopes. Acts onsearch result Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/search/iterations`	Search for iterations.	read	—	Current
The API token has no per-endpoint scopes. Acts onsearch result Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Shortcut can notify an app or AI agent when something changes in a workspace, instead of the app repeatedly asking. A single outgoing webhook posts an event whenever a story or epic is created, updated, or deleted, with the old and new values of what changed.

Event	What it signals	Triggered by
`Story created, updated, or deleted`	The workspace webhook fires when a story is created, updated, or deleted, including changes to its tasks and comments. The action carries the entity_type 'story', the action 'create', 'update', or 'delete', and a changes object with the old and new values of what changed.	`/stories` `/stories/bulk` `/stories/from-template` `/stories/{story-public-id}` `/stories/{story-public-id}` `/stories/{story-public-id}/comments` `/stories/{story-public-id}/comments/{comment-public-id}` `/stories/{story-public-id}/comments/{comment-public-id}` `/stories/{story-public-id}/tasks` `/stories/{story-public-id}/tasks/{task-public-id}` `/stories/{story-public-id}/tasks/{task-public-id}`
`Epic created, updated, or deleted`	The same workspace webhook fires when an epic is created, updated, or deleted. The action carries the entity_type 'epic', the action 'create', 'update', or 'delete', and a changes object with the old and new values.	`/epics` `/epics/{epic-public-id}` `/epics/{epic-public-id}`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Shortcut limits how fast an app or AI agent can call, through a single request rate measured per minute that applies across the whole API.

Request rate

Shortcut limits the whole API to 200 requests per minute. There are no separate per-endpoint or per-method tiers, and the limit applies across every resource. A request that goes over is not processed and returns 429 Too Many Requests, so an integration should hold its sending rate under the ceiling and retry after the current minute. Bulk endpoints help here, since creating, updating, or deleting many stories in one call counts as a single request.

Pagination

Most list endpoints return all matching items in one response. Some larger collections offer a paginated variant, such as /api/v3/epics/paginated, which returns a next token to fetch the following page. Search endpoints return results in pages with a next token for the page after.

Request size

Requests and responses are JSON, apart from the file upload endpoint, which takes multipart form data. Public IDs identify stories, epics, and other entities in paths.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
400	`Bad Request`	The request was malformed, such as invalid JSON or a parameter in the wrong format.	Correct the request body or parameters and resend.
401	`Unauthorized`	The Shortcut-Token header is missing or the token is invalid.	Send a valid API token in the Shortcut-Token header.
403	`Forbidden`	The token is valid but the member it acts as is not permitted to perform the action.	Use a token whose owner has the required access in the workspace.
404	`Not Found`	The resource does not exist, or the token's owner cannot see it.	Confirm the path and public ID, and that the member can access the resource.
409	`Conflict`	The request conflicts with the current state of the resource.	Refetch the current state and retry once the conflict is resolved.
422	`Unprocessable Entity`	The request was well-formed but failed validation, such as a missing required field or an invalid reference ID.	Read the error message, correct the named field, and resend.
429	`Too Many Requests`	The 200 requests per minute rate limit was exceeded, so the request was not processed.	Slow the request rate and retry after the current minute.

Versioning & freshness

Version history.

Shortcut versions its API by a path segment, and v3 is the current version. Changes are backwards compatible, so new fields and endpoints are added without breaking existing integrations.

Version history

What changed, and when

Latest versionv3

v3Current version

Current REST API version

v3 is the current version of the Shortcut REST API, reached under /api/v3 at api.app.shortcut.com. It is the version published in the developer reference, and Shortcut ships only backwards-compatible changes to it, adding new fields and endpoints without breaking existing integrations. The product was renamed from Clubhouse to Shortcut in 2021, and the API host moved from api.clubhouse.io to api.app.shortcut.com while keeping the same v3 contract.

What changed

Authenticated with an API token in the Shortcut-Token header
Stories, epics, iterations, workflows, projects, members, labels, teams, comments, tasks, and files all exposed under /api/v3
Bulk create, update, and delete for stories, each counting as a single request against the rate limit
A single workspace-level outgoing webhook for story and epic changes

2021-02-03Feature update

External links on stories

A backwards-compatible v3 update renamed the external_tickets field on a story to external_links and added the ability to update a story's external links through the update-story endpoint. A new endpoint, GET /api/v3/external-link/stories, finds every story associated with a given external link. The old external_tickets parameter was deprecated on 30 April 2021. It was published on Wednesday 3 February 2021.

What changed

Renamed the story external_tickets field to external_links
Story external links can now be set through the update-story endpoint
Added GET /api/v3/external-link/stories to find stories by external link
Deprecated the external_tickets parameter as of 30 April 2021

2021-Earlier

Clubhouse renamed to Shortcut

In 2021 the product was renamed from Clubhouse to Shortcut, and the API host moved from api.clubhouse.io to api.app.shortcut.com. The version stayed v3 and the contract was unchanged, so the rename was a host and header change rather than a breaking API change. The Clubhouse-Token header became the Shortcut-Token header.

What changed

API host moved from api.clubhouse.io to api.app.shortcut.com
Authentication header renamed from Clubhouse-Token to Shortcut-Token
Version and endpoint contract kept as v3

An integration stays on v3 and picks up additive changes as they ship.

Shortcut release notes ↗

Questions

Shortcut API, answered.

How does an agent authenticate to the Shortcut API?+

By sending an API token in the Shortcut-Token header on every request. A workspace member creates the token under account settings, and it acts as that member. The REST API does not use OAuth, so there is no scoped consent screen; the hosted MCP server is the one place OAuth is used. A missing or invalid token returns 401.

Can a Shortcut token be limited to read-only or to certain resources?+

Not within Shortcut. A token has no per-endpoint scopes and inherits the full permissions of the member who made it, so a token that can read stories can also update and delete them, manage epics and iterations, and read every member's email. The only way to give an agent narrower access, such as read-only or one project, is a gateway in front of the API that enforces it per call.

What are the rate limits?+

The whole API is limited to 200 requests per minute, with no separate per-method tiers. A request over the limit is not processed and returns 429 Too Many Requests. Bulk endpoints help stay under the ceiling, since creating, updating, or deleting many stories in one call counts as a single request.

How does an agent receive changes without polling?+

By registering an outgoing webhook on the workspace. A single webhook posts an event to a chosen URL whenever a story or epic is created, updated, or deleted, with a changes object holding the old and new values. A Payload-Signature header, an HMAC-SHA-256 hash of the body against the webhook secret, confirms the event came from Shortcut.

Does Shortcut have an official MCP server for AI agents?+

Yes. Shortcut publishes its own MCP server, so a Model Context Protocol client can find, create, and update stories, epics, iterations, and docs. A hosted server connects over OAuth with no token setup, and a local option runs the @shortcut/mcp npm package using a SHORTCUT_API_TOKEN. The source is github.com/useshortcut/mcp-server-shortcut.

What is the difference between a project and a team in the API?+

Both group stories, but in different ways. A team, which the API calls a group, is a set of members that owns stories. A project is an older way of grouping stories and sits under a workflow. Stories can also be organised by epic and by iteration, so the same story may belong to a team, a project, an epic, and an iteration at once.

What is Bollard AI?

Control what every AI agent can do in Shortcut.

Bollard AI sits between a team's AI agents and Shortcut. Grant each agent exactly the access it needs, read or write, resource by resource, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Shortcut token.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Shortcut access in Bollard Browse all APIs →

Shortcut

Delivery Agent

Read stories ResourceOffReadFull use

Comment on stories ActionOffReadFull use

Delete stories ActionOffReadFull use

Per-agent access, set in Bollard AI, not in Shortcut

How the Shortcut API works.

Connection & authentication methods.

REST API (v3)

MCP server (Model Context Protocol)

Outgoing webhooks

API token

OAuth (hosted MCP server)

What an AI agent can do in Shortcut.

Stories

Story comments

Tasks

Epics

Iterations

Workflows

Projects

Members

Labels

Teams (Groups)

Files

Search

Every Shortcut API method.

Stories

Story comments

Tasks

Epics

Iterations

Workflows

Projects

Members

Labels

Teams (Groups)

Files

Search

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Shortcut API, answered.

More productivity API guides for agents

Aha!

Miro

Canny

Coda

Notion

ClickUp

Control what every AI agent can do in Shortcut.