How to Use Ninety's Public API
Ninety's Public API provides programmatic access to core resources including To-Dos, Issues, Rocks, Milestones, Scorecard, and Teams. Authentication uses a Personal Access Token (PAT) generated in User Settings, with all calls executing under your user identity and respecting your in-app permissions.
Note: The Public API is currently in closed beta for selected Thrive customers. General availability is planned for summer 2026. Endpoints, rate limits, and authentication flows may change before general availability.
API documentation
Refer to the interactive API documentation for full endpoint signatures and example requests.
What you can build with the API
Common use cases include:
Push Scorecard values automatically from BI tools or data warehouses on a recurring schedule.
Capture leadership-attention items by auto-creating Issues from ticketing or monitoring tools.
Bulk-create Rocks during quarterly planning from strategy documents.
Build custom client tooling as a Coach with dashboards and intake flows.
Embed Ninety into your own product as a partner with programmatic read/write access.
What the API includes
The v1 API covers these resources:
Ninety Resource | What you can do |
To-Dos | Create, query, get by ID, update, delete |
Issues | Create, query, get by ID, update, delete |
Rocks | Create, query (with filters), get by ID, update, soft-delete |
Milestones | Create (linked to a Rock), get by ID, update |
Scorecard | Query KPIs, create/update/delete Scores and Notes |
Teams | List |
In API payloads, KPIs are referenced as kpis, and their values are referenced as scores.
Who can use the API
Plan requirements:
Available on the Thrive subscription plan only.
Accelerate, Essentials, and Free plans do not include API access.
Role requirements:
Owners, Admins, Coaches, Managers, and Team Members can generate tokens.
Observers cannot generate tokens.
The API enforces the same permissions you have within the Ninety app. Each user generates and manages their own tokens independently.
Rate limits
Rate limits apply per user and reset every second:
Subscription tier | Rate limit |
Essentials | API access not available |
Accelerate | API access not available |
Thrive | 25 requests per second |
Requests exceeding your rate limit receive a 429 Too Many Requests response. Back off for at least one second and retry. For sustained high-volume workloads, consider upgrading your subscription tier.
How to generate a Personal Access Token
Click your name from the bottom of the left navigation.
Click User Settings.
Click Developer Settings.
Click Generate New Token in the top right.
Choose a Token Expiration Timeframe (default: 90 days).
Enter a Token Description (50 character limit) identifying the token's purpose.
Click Generate Token.
Copy and store the token securely immediately.
Warning: Treat your Personal Access Token like a password. Anyone with the token can call the API as you. Do not commit tokens to source control, share them in chat, or paste them publicly. Ninety displays the full token only once at generation. If lost, generate a new one.
The Developer Settings page recommends rotating tokens every 90 days, revoking unused tokens, and monitoring the "Last used" timestamp for unexpected activity.
How to authenticate API requests
The API lives at https://api.public.ninety.io/v1. Authenticate requests by passing your Personal Access Token as a Bearer token in the Authorization header.
Verify your token works by calling GET /teams, which lists teams you can access. A valid token returns a 200 OK response with your team list.
Refer to the API documentation for full request and response details.
Permissions and scope
Every API call honors Ninety's user and company boundaries:
Per-user scope: Each call executes as the user who generated the token. All actions record against that user in the audit log.
Per-company scope: Tokens scope to the user's associated company. Generate separate tokens from each company's User Settings for cross-company access.
In-app permissions enforced: If your role prohibits an action in Ninety, the API rejects it. No admin or superuser override exists.
No assignment to other users: All created or updated items assign to the authenticated user. The API does not support assigning items to others in v1.
What's not in v1
No user directory or assignment endpoints.
No read endpoint for Scorecard values (write and delete only).
No delete endpoint for Milestones.
No webhooks or push notifications (polling required).
No bulk-write operations across resources.
Full API reference
Complete endpoint signatures, request and response shapes, parameters, error codes, and example payloads are available in the API reference documentation.
Frequently asked questions
Which plans include API access?
The Public API is available on the Thrive subscription plan only. The Free plan does not include API access.
Can I generate a token as an Observer?
No. Observers cannot generate Personal Access Tokens. Request a role change from your company's Owner or Admin.
Can an Admin or Coach generate tokens for other users?
No. Every user generates and manages their own tokens from their User Settings.
What happens if I hit my rate limit?
You receive a 429 Too Many Requests response. Back off for at least one second and retry. For regular limit hits, upgrade your subscription tier.
Can I read Scorecard values through the API?
Not in v1. You can write and delete Scores and Notes, but cannot read them. You can query the list of KPIs themselves.
How does the Public API compare to the Zapier integration?
The Public API provides direct, code-level access to the same engine powering Ninety's Zapier integration. Use the API for custom logic, custom UI, or high volumes. Use Zapier for no-code paths or pre-built recipes.
Is there an SDK or client library?
Not in v1. The API is a standard REST service usable from any HTTP client, language, or platform. Use the API reference documentation to generate a client in your preferred language.
Can I have more than one Personal Access Token?
Yes. Generate multiple tokens from User Settings > Developer Settings. Use the Token Description field to label each token. Revoke unused tokens on the same page.
What if I lose my token?
Generate a new one from User Settings > Developer Settings. Tokens display in full only once at creation, so lost tokens cannot be recovered.