Reqio exposes a per-project REST API for backends and workflow tools that would rather call plain HTTP endpoints than speak MCP. It covers the same operations as the MCP server (backlog, conversations, widget config, project) plus two resources MCP does not expose: requesters and the notification feed.
Plan requirement
The v1 API is a Pro and Scale feature. Free projects cannot create API keys or call any v1 endpoint. If you need programmatic access on Free, upgrade to Pro.
Authentication
Every request needs a Bearer credential:
GET /p/{projectId}/api/v1/features HTTP/1.1
Host: reqio.app
Authorization: Bearer YOUR_CREDENTIAL
Two kinds of credential work here, resolved through the same pipeline:
- An API key, created at Project → Settings → API keys. Pick a name, one or more scopes, and an optional expiry. The raw key is shown exactly once at creation time; only its hash is stored.
- An MCP OAuth access token, the same opaque, audience-bound token issued by the OAuth authorization flow.
Both credential types are normalized to the same actor context before any endpoint runs, so a workflow tool can use a long-lived API key while an interactive agent uses its OAuth token, against the same API.
There is no CORS support on these routes. The v1 API is for server-to-server calls, not for calling directly from a browser.
Scopes
The v1 API checks the same scopes as the MCP server (see OAuth authorization), plus three REST-only scopes that have no MCP tool equivalent:
| Scope | What it grants |
|---|---|
| backlog:write | Create a new feature request via the API. |
| requesters:read | List the project's tracked (identified) users. |
| notifications:read | Read the project-wide notification feed. |
An API key can only be issued with scopes up to what the issuing user's role and the project's plan allow, the same rule that governs OAuth consent.
Daily quota
Every v1 call is metered against the project owner's plan, scoped per project (all of a project's API keys and OAuth clients share one counter). The quota resets at 00:00 UTC.
| Plan | Calls per day | |---|---| | Free | No access | | Pro | 10,000 | | Scale | 100,000 |
If the quota is exhausted, every endpoint returns the same error, regardless of which resource you called:
HTTP/1.1 429 Too Many Requests
Content-Type: application/json
{
"error": {
"code": "API_QUOTA_EXCEEDED",
"message": "Daily API request limit reached for this project. It resets at 00:00 UTC. Upgrade for a higher limit."
}
}
The quota check runs after authentication and scope checks, so an unauthorized or forbidden call never burns a slot.
Every response uses the same envelope: { "data": ... } on success, { "error": { "code", "message" } } on failure, matching the dashboard's own API error shape.
Resources
All paths are relative to https://reqio.app/p/{projectId}/api/v1.
| Resource | Methods | Scope(s) |
|---|---|---|
| /features | GET, POST | backlog:read, backlog:write |
| /features/{id} | GET, PATCH, DELETE | backlog:read, status:write, features:delete |
| /features/{id}/comments | GET, POST | backlog:read, comments:write |
| /conversations | GET | conversations:read |
| /conversations/{id} | GET | conversations:read |
| /conversations/{id}/messages | GET, POST | conversations:read, conversations:write |
| /requesters | GET | requesters:read |
| /notifications | GET | notifications:read |
| /project | GET, PATCH | backlog:read, project:write |
| /project/widget | GET, PATCH | widget:read, widget:write |
PATCH /features/{id} changes status only, mirroring the MCP change_status tool. POST /conversations/{id}/messages posts a team reply, mirroring reply_conversation. Every write endpoint also re-runs assertCan against live project membership, so removing a team member or revoking a key takes effect on the very next call, with no separate invalidation step.
Creating a key
- Go to Project → Settings → API keys.
- Click Create key, give it a name, pick the scopes it needs, and optionally set an expiry date.
- Copy the raw key immediately. Reqio only stores its hash and cannot show it again.
- Revoke a key at any time from the same page. A revoked key is rejected on its very next use.
Only the project Owner can create or revoke API keys, the same issueTokens capability that gates MCP token issuance.