Help Center / API and developers /
API overview
Plutio's REST API opens your workspace data to external tools, custom integrations, and automated workflows that go beyond what the built-in automation engine handles. Every major area is accessible through documented endpoints.
Covered areas
The API covers projects, tasks, invoices, proposals, contracts, contacts, time entries, wiki pages, conversations, forms, and bookings. Standard operations (create, read, update, delete) are exposed on each area, and endpoint references document the expected request format, response structure, and filtering options for every resource.
Authentication
API access uses OAuth2 with the client_credentials grant type. An API client (created in Settings > API manager) provides a client ID and client secret. A token request to the /oauth/token endpoint returns an access token, which is passed as a bearer token in subsequent API calls. Tokens expire after 72 hours and can be refreshed automatically.
Base URL and required headers
Every Plutio API request goes to https://api.plutio.com and needs both an OAuth bearer token and a workspace header. The token proves which API client is calling. The business header tells Plutio which workspace the request is for.
| Header | Value | Notes |
|---|---|---|
Authorization | Bearer ACCESS_TOKEN | Use the temporary token returned by /oauth/token. |
business | YOUR_PLUTIO_SUBDOMAIN | Use the first part of the Plutio workspace domain. For https://test.plutio.com, send test. |
If the business header is missing, Plutio can return {"code":400,"message":"Business undefined is not enabled for this client."}. That response means the token was accepted, but Plutio could not match the request to an enabled workspace.
Token request example
Use the client_credentials grant to create a temporary access token. The client ID and client secret come from API client management. The access token expires after 72 hours, so long-running integrations should request a new token when needed.
POST https://api.plutio.com/v1.11/oauth/token
Content-Type: application/x-www-form-urlencodedgrant_type=client_credentialsclient_id=YOUR_CLIENT_IDclient_secret=YOUR_CLIENT_SECRET
Rate limits
Rate limits apply per API client to prevent overloading. The current rate limit and remaining allowance are returned in the response headers of each request, so integrations can monitor usage and throttle themselves when approaching the limit.
Troubleshooting API requests
Use the exact status code and error message to decide what to check first. A missing business header, a workspace that is not enabled for the client, an expired token, and a role permission issue all look different.
- 400 with "Business undefined": add the
businessheader. - 400 with "Business X is not enabled": enable that workspace on the API client or send the correct subdomain.
- 401 unauthorized: generate a fresh token and send it as
Authorization: Bearer ACCESS_TOKEN. - 403 forbidden: check the role and entity permissions behind the API client.
For the full checklist, see Common API errors.
Common use cases
External systems can push contacts into Plutio's CRM from a marketing platform, pull invoice data into an accounting system, create tasks from an external project management tool, or sync time entries with a payroll service. Because the API covers every major area with full CRUD operations, data can flow in and out of Plutio without manual data entry between systems.
