Thicket API
Thicket exposes a versioned REST API at /api/v1. The web app is built on the same service layer, so behavior is identical through either surface — everything you can do in the product has a corresponding route.
- Base path —
/api/v1. Org-scoped routes embed the organization slug:/api/v1/{org-slug}/… - JSON —
snake_casekeys, no response envelope. Resources are returned directly. - Errors — a consistent error object with conventional status codes:
400malformed JSON,401no session,402plan limit reached,403forbidden,404missing or not yours,422validation. - Roles —
owner,admin,member,client. Clients only see projects they were explicitly added to and, inside them, only items shared with clients. - Tenancy — every org-scoped request is isolated to your organization with database row-level security. A valid session in one organization returns 404 for anything in another.
{
"error": {
"code": "not_found",
"message": "Not found"
}
}The API authenticates with the same session cookie the web app uses, obtained from the auth endpoints. Personal access tokens are a planned addition — the surface is designed so they slot in without route changes.
| Method | Path | Notes |
|---|---|---|
| POST | /api/auth/sign-up/email | {name, email, password} — sets the session cookie |
| POST | /api/auth/sign-in/email | {email, password} — sets the session cookie |
| POST | /api/auth/sign-out | Clears the session |
| GET | /api/auth/get-session | Current session, or null |
# Sign in, keep the cookie, then call the API
curl -c cookies.txt -X POST https://www.thickethq.com/api/auth/sign-in/email \
-H "Content-Type: application/json" \
-d '{"email": "[email protected]", "password": "..."}'
curl -b cookies.txt https://www.thickethq.com/api/v1/orgsDiscover the organizations your account belongs to; their slugs key every other route.
| Method | Path | Notes |
|---|---|---|
| GET | /api/v1/orgs | Your organizations: id, name, slug, role |
Projects contain the tools (message board, to-dos, docs & files, schedule, card table, chat) and the people working with them.
| Method | Path | Notes |
|---|---|---|
| GET | /api/v1/{org}/projects | Active projects you can access; ?status=archived|trashed |
| POST | /api/v1/{org}/projects | {name, description?, all_access?} → 201 |
| GET | /api/v1/{org}/projects/{id} | Project plus its enabled tools |
| PATCH | /api/v1/{org}/projects/{id} | {name?, description?, all_access?} |
| PUT | /api/v1/{org}/projects/{id}/status/{status} | Lifecycle: active, archived, or trashed |
| PUT | /api/v1/{org}/projects/{id}/tools/{tool} | {enabled} — toggle a tool |
| GET | /api/v1/{org}/projects/{id}/people | People on the project |
| PUT | /api/v1/{org}/projects/{id}/people | {membership_ids: []} — set explicit access |
Every piece of content — messages, comments, to-do lists, to-dos, documents, uploads, schedule entries, card columns, cards, chat lines — is a recording sharing one lifecycle, one comment system, and one subscription system. Content is created under its parent container with a typed child request.
| Method | Path | Notes |
|---|---|---|
| GET | /api/v1/{org}/recordings?type=todo | Cross-project query; &project_id=, &status= |
| GET | /api/v1/{org}/recordings/{id} | Any recording by id |
| PATCH | /api/v1/{org}/recordings/{id} | {title?, content?, due_on?, starts_at?, ends_at?, all_day?} |
| PUT | /api/v1/{org}/recordings/{id}/status/{status} | active | archived | trashed — trash is recoverable |
| GET / POST | /api/v1/{org}/recordings/{id}/children | List or create content under a container (e.g. a to-do in a list) |
| GET / POST | /api/v1/{org}/recordings/{id}/comments | Comments on any commentable recording |
| PUT / DELETE | /api/v1/{org}/recordings/{id}/completion | Complete or reopen to-dos, cards, and card steps |
| PUT | /api/v1/{org}/recordings/{id}/position | {parent_id?, position?} — reorders and kanban moves |
| GET / PUT | /api/v1/{org}/recordings/{id}/assignees | {membership_ids: []} — new assignees are notified |
| GET / PUT / DELETE | /api/v1/{org}/recordings/{id}/subscription | Your notification subscription on the recording |
Private conversations outside of projects, visible only to their participants. Project group chat is a project tool whose lines are recordings.
| Method | Path | Notes |
|---|---|---|
| GET | /api/v1/{org}/chats | Your direct chats with participants and the last line |
| POST | /api/v1/{org}/chats | {membership_ids: []} — finds or starts the conversation |
A combined calendar across every accessible project's schedule. Recurring events (daily, weekly, monthly, or custom) expand at read time; iCal feeds let external calendar apps subscribe.
| Method | Path | Notes |
|---|---|---|
| GET | /api/v1/{org}/calendar?from=&to= | Items in the window; &just=me, &tasks=true, &projects= |
| POST | /api/v1/{org}/calendar | {project_id, title, starts_at, ends_at?, all_day?, recurrence?, participant_ids?} |
| PATCH | /api/v1/{org}/calendar/{event_id} | Edit the event or series; invitees are notified |
| GET | /api/v1/{org}/my/events | Your events for the next 7 days |
| GET | /api/v1/{org}/my/do-today | {events, tasks} for today |
| GET / POST | /api/v1/{org}/calendar/feeds | iCal feeds; POST {project_id?, include_tasks?} → {url} |
Org membership, invitations, and the directory structures around them.
| Method | Path | Notes |
|---|---|---|
| GET | /api/v1/{org}/people | Org members with role and company |
| POST | /api/v1/{org}/people | {email, role, company_id?} — invite (plan limits apply) |
| PATCH | /api/v1/{org}/people/{membership_id} | {role?, company_id?} |
| DELETE | /api/v1/{org}/people/{membership_id} | Remove from the org (self = leave) |
| GET / POST | /api/v1/{org}/companies | Companies; POST {name, is_client?} |
| GET / POST | /api/v1/{org}/groups | Groups bundle non-client people |
Personal, cross-project views.
| Method | Path | Notes |
|---|---|---|
| GET | /api/v1/{org}/my/notifications | {unread_count, notifications}; ?unread=true |
| PUT | /api/v1/{org}/my/notifications | Mark all read |
| GET | /api/v1/{org}/my/assignments | Open work assigned to you across projects |
| GET | /api/v1/{org}/search?q=… | Full-text search; &project_id=, &type=, &creator_id=, date filters |
Uploads live in a project's Docs & Files tool; downloads redirect to short-lived signed URLs.
| Method | Path | Notes |
|---|---|---|
| POST | /api/v1/{org}/recordings/{vault_id}/uploads | multipart/form-data with file (≤ 50 MB) → 201 |
| GET | /api/v1/{org}/uploads/{id}/download | 302 to a short-lived presigned URL |
Owner-only management of the organization's plan and data.
| Method | Path | Notes |
|---|---|---|
| GET | /api/v1/{org}/billing | Tier, status, trial, and usage vs limits |
| POST | /api/v1/{org}/billing/create-checkout | {price_id, billing_interval} → Stripe Checkout URL (owner) |
| POST | /api/v1/{org}/billing/create-portal | Stripe customer portal URL (owner) |
| GET | /api/billing/prices | Public price catalog (monthly/yearly Pro) |
| GET | /api/v1/{org}/account/export | Full JSON export download (owner) |
Personal preferences that apply across all of your organizations.
| Method | Path | Notes |
|---|---|---|
| GET / PATCH | /api/v1/me/preferences | Timezone, time format, week start, theme, notification settings, quiet hours, out-of-office |
This reference is evolving. The API covers substantially more than the highlights above — including check-ins, client approvals, progress charts, templates, public links, trash recovery, and message categories — and grows with the product. Routes documented here are stable under the /api/v1 version.
Questions, or need an endpoint detailed? [email protected]