Developer & API Terms

1. Introduction

These Developer & API Terms ("Developer Terms") govern your use of the IS.TEAM application programming interfaces (APIs), webhooks, API tokens, and related developer tools (collectively, the "API") provided by IS.TEAM LLC ("IS.TEAM," "we," "us," or "our").

These Developer Terms are supplementary to and incorporated into our Terms of Service and Acceptable Use Policy. In the event of a conflict between these Developer Terms and the main Terms of Service with respect to API access, these Developer Terms govern.

By generating an API token, setting up a webhook, or otherwise accessing the IS.TEAM API, you ("Developer" or "you") agree to these Developer Terms.

2. API Access and Authentication

2.1 IS.AI LLM API Tokens

IS.TEAM provides board-scoped API tokens (prefixed ist_) that allow external applications and AI agents to interact with specific boards.

Token Generation: Tokens are generated by board owners or workspace owners through Board Settings → IS.AI API.

Token Scoping: Each token is scoped to a single board. A token cannot be used to access, read, write, or enumerate data from any other board or workspace.

Token Security:

Treat your ist_ tokens as passwords. Never share them publicly.
Do not embed tokens in client-side code, browser extensions, or public source code repositories.
Do not commit tokens to version control (e.g., Git).
Rotate tokens immediately if you suspect compromise.
IS.TEAM hashes tokens at rest; we cannot recover a lost token. You must generate a new one.

Token Revocation: Board owners can revoke any issued token at any time from Board Settings. Revoked tokens immediately cease to function.

2.2 Per-Board Enable/Disable

The IS.AI API access for each board can be independently enabled or disabled by the board owner. When disabled, all ist_ tokens issued for that board are inactive regardless of individual token validity.

2.3 No General REST API

IS.TEAM does not currently offer a general-purpose REST API beyond the IS.AI endpoints documented in this agreement. Undocumented internal endpoints are not part of the public API and must not be used. Accessing undocumented endpoints violates these Developer Terms and the Acceptable Use Policy.

3. API Endpoints and Capabilities

3.1 IS.AI API — Read Board

GET /api/llm/{boardId}?user={agentName}
Authorization: Bearer ist_{token}

Returns the board's column structure, all tasks in each column (title, type, priority, assignee, due date, labels, story points, description, comments), and the board's name.

Query Parameters:

user (required): Display name of the agent making the request. Shown in activity logs.

Response: JSON object containing board metadata and an array of columns, each with an array of tasks.

3.2 IS.AI API — Complete Task

POST /api/llm/{boardId}/complete-task
Authorization: Bearer ist_{token}
Content-Type: application/json

{
  "taskId": "string",
  "completed": true | false
}

Marks a task as complete or incomplete.

3.3 IS.AI API — Move Task

POST /api/llm/{boardId}/move-task
Authorization: Bearer ist_{token}
Content-Type: application/json

{
  "taskId": "string",
  "columnTitle": "string"
}

Moves a task to a different column identified by its title. Column title matching is case-insensitive exact match.

3.4 IS.AI API — Post Comment

POST /api/llm/{boardId}/comment
Authorization: Bearer ist_{token}
Content-Type: application/json

{
  "taskId": "string",
  "comment": "string",
  "authorName": "string"
}

Posts a comment on a task. Comments are marked as AI-generated and attributed to authorName. Maximum comment length: 10,000 characters.

3.5 Incoming Webhook — Create Task

POST /api/webhooks/incoming
Authorization: Bearer ist_{token}
Content-Type: application/json

{
  "workspaceId": "string",
  "boardId": "string",
  "columnTitle": "string",
  "title": "string",
  "type": "task" | "bug" | "story" | "epic",
  "priority": "low" | "medium" | "high" | "urgent",
  "description": "string"
}

Creates a new task in the specified column. The ist_ token must have write access (owner or write-role member). Returns { id, taskNumber, title, boardId, columnTitle }.

4. Webhooks (Outgoing)

4.1 Overview

Outgoing webhooks allow IS.TEAM to send real-time event notifications to URLs you configure. When a supported event occurs, IS.TEAM sends an HTTP POST request to your endpoint with a JSON payload.

4.2 Supported Events

Event	Description	Trigger Source
`task.created`	A task was created	Incoming webhook only (in this MVP)
`task.completed`	A task was marked complete	IS.AI API complete-task endpoint
`task.moved`	A task was moved to a different column	IS.AI API move-task endpoint
`task.commented`	A comment was posted on a task	Comment notification route

MVP Limitation: Outgoing webhooks are triggered only by server-side events (API calls and incoming webhooks). Client-side actions (drag-and-drop, direct board edits) do not currently trigger outgoing webhooks. Future updates may expand trigger sources.

4.3 Webhook Management

Webhooks are managed through Workspace Settings → Webhooks (owner role required):

Maximum webhooks per workspace: 10
Webhook fields: Name, URL (HTTPS required), subscribed events, enabled/disabled toggle

4.4 Webhook Security — HMAC Signature

Every outgoing webhook request is signed with an HMAC-SHA256 signature using your webhook's secret key.

Signature Headers:

X-IsTeam-Signature: sha256={hex_digest}
X-IsTeam-Event: {event_name} (e.g., task.created)
X-IsTeam-Delivery: {unique_delivery_id}

Verifying the Signature:

const crypto = require("crypto");

function verifyWebhookSignature(rawBody, signatureHeader, secret) {
  const expected = "sha256=" + crypto
    .createHmac("sha256", secret)
    .update(rawBody, "utf8")
    .digest("hex");
  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(signatureHeader)
  );
}

You should:

Read the raw request body as a string (do not parse JSON first)
Compute the expected signature using your webhook secret
Compare using a timing-safe comparison (to prevent timing attacks)
Reject the request if signatures do not match

Always verify webhook signatures. Unverified webhooks are a security risk.

4.5 Webhook Payload Format

{
  "event": "task.created",
  "workspaceId": "wid_xxxxx",
  "boardId": "board_xxxxx",
  "timestamp": "2025-01-15T10:30:00.000Z",
  "data": {
    "task": {
      "id": "task_xxxxx",
      "taskNumber": 42,
      "title": "Implement dark mode",
      "type": "task",
      "priority": "high",
      "status": "in_progress",
      "assignee": null,
      "dueDate": null,
      "labels": [],
      "description": ""
    },
    "movedTo": "In Progress",
    "comment": "Reviewed and approved.",
    "author": "Claude Agent"
  }
}

Fields in data are event-dependent:

task.created: includes task only
task.moved: includes task + movedTo (destination column title)
task.completed: includes task
task.commented: includes task + comment + author

4.6 Webhook Delivery Behavior

IS.TEAM makes webhook deliveries as a best-effort, fire-and-forget operation
We do not retry failed deliveries (2xx response not received) in the current MVP; failed deliveries are logged but not re-queued
Webhook deliveries time out after 10 seconds. Your endpoint must respond within 10 seconds
Return any 2xx status code to acknowledge receipt; we do not inspect the response body
Webhook URLs must be HTTPS. HTTP-only URLs will be rejected at configuration time
Webhook delivery failures do not affect other IS.TEAM operations (task creation proceeds regardless of webhook outcome)

4.7 Your Webhook Endpoint Responsibilities

You are responsible for the security and availability of your webhook endpoint
Ensure your endpoint validates HMAC signatures before processing payloads
Process webhook events idempotently where possible (delivery may be duplicated in rare edge cases)
Do not use IS.TEAM webhook deliveries as the sole mechanism for critical business logic without fallback polling
IS.TEAM may suspend webhook delivery to endpoints that consistently return non-2xx responses

5. Rate Limits

5.1 IS.AI API Rate Limits

Endpoint	Rate Limit
`GET /api/llm/{boardId}`	60 requests/minute per token
`POST /api/llm/{boardId}/comment`	30 requests/minute per token
`POST /api/llm/{boardId}/complete-task`	30 requests/minute per token
`POST /api/llm/{boardId}/move-task`	30 requests/minute per token
`POST /api/webhooks/incoming`	60 requests/minute per token
Outgoing webhook CRUD	20 requests/minute per workspace (standard)

5.2 Rate Limit Response

When you exceed a rate limit, the API returns:

HTTP 429 Too Many Requests
Retry-After: {seconds}

The Retry-After header indicates the number of seconds before the rate limit resets.

5.3 Requesting Higher Limits

If your use case legitimately requires higher rate limits (e.g., large enterprise automations), contact hi@is.team with a description of your use case. We may offer custom limits on a case-by-case basis.

6. Zapier and Make.com Integration

IS.TEAM supports integration with Zapier and Make.com (and similar automation platforms) via:

Incoming webhooks using "Webhooks by Zapier" or "HTTP/Webhooks" modules
Outgoing webhooks using IS.TEAM's outgoing webhook configuration

6.1 Using Zapier/Make as an Action (Incoming)

Configure a Zapier/Make step to send an HTTP POST to /api/webhooks/incoming with:

Authorization: Bearer ist_{your_token} header
JSON body with required fields (workspaceId, boardId, columnTitle, title)

This creates a task in your IS.TEAM board from any trigger available in Zapier/Make (Salesforce deals, Google Sheets rows, emails, calendar events, etc.).

6.2 Using IS.TEAM as a Trigger (Outgoing)

Configure an outgoing webhook in IS.TEAM Workspace Settings → Webhooks pointing to your Zapier "Webhooks by Zapier" Catch Hook URL or Make.com "Webhooks" module URL. IS.TEAM will POST event payloads to these URLs.

6.3 Zapier/Make Terms

Your use of Zapier or Make.com is governed entirely by those platforms' own terms of service and privacy policies. IS.TEAM is not affiliated with and does not warrant the availability, accuracy, or terms of Zapier or Make.com.

7. Prohibited API Uses

In addition to the prohibitions in the Acceptable Use Policy, you must not:

Use the API to systematically copy or archive IS.TEAM board data for competitive intelligence or to build competing products
Circumvent per-board token scoping by chaining API calls to discover or access other workspaces
Inject malicious content (XSS, SQL injection, command injection, prompt injection against AI systems) via API request fields
Use the API for denial-of-service attacks against IS.TEAM or against third-party webhook endpoints
Automate account creation, invitation sending, or billing operations without explicit written approval
Access or modify data in boards for which you do not hold valid authorization
Distribute, resell, or sublicense API access to third parties without a separate written agreement with IS.TEAM

8. Changes to the API

We may add, modify, or deprecate API endpoints, parameters, response fields, or rate limits. We will:

Provide at least 60 days' advance notice via email and the API changelog for breaking changes
Mark deprecated endpoints with Deprecation response headers when technically feasible
Maintain backward compatibility for at least 60 days after a deprecation notice

We reserve the right to make non-breaking changes (adding new optional fields, new endpoints, new events) without advance notice.

Breaking changes include: removing an endpoint, removing a required field, changing a field's type or format, reducing rate limits, or changing authentication mechanisms.

9. Intellectual Property

IS.TEAM API IP: All API designs, documentation, and implementations are the intellectual property of IS.TEAM LLC. Nothing in these Developer Terms grants you ownership of any IS.TEAM intellectual property.

Your Application IP: You retain ownership of applications, automations, and integrations you build using the API, subject to these Developer Terms.

Attribution: If you publicly showcase or publish an integration built on IS.TEAM's API, you may reference "Powered by IS.TEAM" or "Integrates with is.team" using our approved brand assets (available at hi@is.team upon request). You must not imply IS.TEAM's endorsement without prior written consent.

10. Disclaimer and Limitation of Liability for API Use

THE IS.TEAM API IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

IS.TEAM IS NOT LIABLE FOR:

Actions taken by automated agents or systems operating under API tokens you have issued
Data loss, corruption, or unintended changes caused by API operations you authorize
Failures of third-party webhook delivery (Zapier, Make.com, custom endpoints)
Business losses resulting from API unavailability, rate limit enforcement, or changes to the API

Your liability for damage caused by your API usage (including misuse of tokens, misconfigured webhooks, or unauthorized agent behavior) is subject to the indemnification provisions in the Terms of Service.

11. Governing Law

These Developer Terms are governed by the same governing law and dispute resolution provisions as the main Terms of Service (Delaware law; AAA arbitration).

12. Contact

For API support, feature requests, or to report API-related security issues:

IS.TEAM LLC 123 Placeholder Street, Suite 100 Wilmington, DE 19801 United States Email: hi@is.team Security: security@is.team Website: https://is.team