Developer & API Terms

1. Introduction

These Developer & API Terms (“Developer Terms”) govern your use of the IS.TEAM application programming interfaces (APIs), webhooks, API tokens, MCP Server, Desktop Timer API, and related developer tools (collectively, the “API”) provided by IS.TEAM LLC (“IS.TEAM,” “we,” “us,” or “our”).

These Developer Terms are supplementary to and incorporated into our Terms of Service and Acceptable Use Policy. In the event of a conflict between these Developer Terms and the main Terms of Service with respect to API access, these Developer Terms govern.

By generating an API token, setting up a webhook, connecting an MCP client, or otherwise accessing the IS.TEAM API, you (“Developer” or “you”) agree to these Developer Terms.

2. API Access and Authentication

2.1 LLM API Tokens

IS.TEAM provides workspace-scoped API tokens (prefixed ist_) that allow external applications and AI agents to interact with cards that have LLM access enabled.

Token Generation: Tokens are generated by workspace owners through Account Settings → API Tokens. Requires a Pro plan or higher.

Token Scoping: Each token is scoped to the workspace of its creator. A token can only access cards where LLM access has been explicitly enabled via Card Settings → IS.AI API.

Token Security:

Treat your ist_ tokens as passwords. Never share them publicly.
Do not embed tokens in client-side code, browser extensions, or public source code repositories.
Do not commit tokens to version control (e.g., Git).
Rotate tokens immediately if you suspect compromise.
IS.TEAM hashes tokens at rest; we cannot recover a lost token. You must generate a new one.

Token Revocation: Workspace owners can revoke any issued token at any time from Account Settings. Revoked tokens immediately cease to function.

2.2 Per-Card LLM Access

LLM API access for each card can be independently enabled or disabled by the card owner through Card Settings → IS.AI API. Each card has granular permission controls:

llmAccess — enables read access (required for all other permissions)
llmFlow — enables write operations (create, update, complete, move, reorder tasks, log time)
llmComment — enables posting comments on tasks

When LLM access is disabled for a card, all API requests targeting that card will return 404 regardless of token validity.

2.3 Authentication Methods

Method	Used By	Header
LLM Bearer Token	IS.AI API, MCP, Timer	`Authorization: Bearer ist_{token}`
Firebase Auth	Web app, webhook mgmt	Firebase ID Token
Stripe Signature	Stripe webhooks	`stripe-signature` header

2.4 No General REST API

IS.TEAM does not currently offer a general-purpose REST API beyond the endpoints documented in this agreement. Undocumented internal endpoints are not part of the public API and must not be used.

3. API Endpoints and Capabilities

3.1 List Cards

POST/api/mcp/exec

Returns all cards with LLM access enabled that the token owner can access.

request.json

POST /api/mcp/execAuthorization: Bearer ist_{token}Content-Type: application/json{  "tool": "list_cards"}

3.2 Read Card

POST/api/mcp/exec

Returns the card content as Markdown — including tasks, connected notes, connected cards, team members, and available actions.

request.json

POST /api/mcp/execAuthorization: Bearer ist_{token}Content-Type: application/json{  "tool": "read_card",  "cardId": "{cardId}",  "args": { "user": "{agentName}" }}

Query Parameters:

user (optional): Display name of the agent. Used for personalization and activity logs.

3.3 Create Task

POST/api/mcp/exec

request.json

POST /api/mcp/execAuthorization: Bearer ist_{token}Content-Type: application/json{  "tool": "create_task",  "cardId": "{cardId}",  "args": {    "title": "Implement OAuth flow",    "type": "feature",    "priority": "high",    "description": "Add Google OAuth login support",    "assignee": "uid_abc123",    "dueDate": "2026-04-15",    "labels": ["auth", "backend"],    "storyPoints": 5  }}

3.4 Update Task

POST/api/mcp/exec

Updates an existing task. Only taskNumber is required — include only the fields you want to change. Pass null to clear a field.

request.json

POST /api/mcp/execAuthorization: Bearer ist_{token}Content-Type: application/json{  "tool": "update_task",  "cardId": "{cardId}",  "args": {    "taskNumber": 42,    "priority": "medium",    "labels": ["auth", "backend", "v2"],    "dueDate": "2026-04-20"  }}

3.5 Complete Task

POST/api/mcp/exec

Toggles a task's completion status.

request.json

POST /api/mcp/execAuthorization: Bearer ist_{token}Content-Type: application/json{  "tool": "complete_task",  "cardId": "{cardId}",  "args": { "taskNumber": 42 }}

3.6 Move Task

POST/api/mcp/exec

Moves a task to a different card. Tasks can only move to directly connected cards (via canvas edges). Column title matching is case-insensitive.

request.json

POST /api/mcp/execAuthorization: Bearer ist_{token}Content-Type: application/json{  "tool": "move_task",  "cardId": "{cardId}",  "args": {    "taskNumber": 42,    "targetCardTitle": "In Progress"  }}

3.7 Post Comment

POST/api/mcp/exec

Posts a comment on a task. Comments are marked as AI-generated.

request.json

POST /api/mcp/execAuthorization: Bearer ist_{token}Content-Type: application/json{  "tool": "add_comment",  "cardId": "{cardId}",  "args": {    "taskNumber": 42,    "text": "OAuth flow implemented. Ready for review."  }}

3.8 Log Time

POST/api/mcp/exec

Logs time on a task. duration is in seconds (60–86,400). description is optional (max 2,000 chars). date defaults to today.

request.json

POST /api/mcp/execAuthorization: Bearer ist_{token}Content-Type: application/json{  "tool": "log_time",  "cardId": "{cardId}",  "args": {    "taskNumber": 42,    "duration": 1800,    "description": "Implemented OAuth callback handler",    "date": "2026-04-01"  }}

3.9 Reorder Tasks

POST/api/mcp/exec

Reorders tasks within a card. First item = top, last item = bottom. Must include all task numbers.

request.json

POST /api/mcp/execAuthorization: Bearer ist_{token}Content-Type: application/json{  "tool": "reorder_tasks",  "cardId": "{cardId}",  "args": { "taskNumbers": [3, 1, 7, 2] }}

4. MCP Server

IS.TEAM provides an MCP (Model Context Protocol) server that enables AI clients such as Claude, Cursor, Windsurf, and other MCP-compatible tools to interact with cards programmatically.

Endpoint: https://is.team/mcp

Authentication: Bearer token using the same ist_ tokens as the IS.AI API.

Protocol: Stateless HTTP transport — compatible with serverless platforms.

4.1 Available Tools

Tool	Permission	Description
`list_cards`	Read	List all cards with LLM access enabled
`read_card`	Read	Get card content as markdown
`create_task`	Write (llmFlow)	Create a new task
`update_task`	Write (llmFlow)	Update an existing task
`complete_task`	Write (llmFlow)	Mark a task as complete/incomplete
`move_task`	Write (llmFlow)	Move a task to a connected card
`add_comment`	Comment (llmComment)	Post a comment on a task
`log_time`	Write (llmFlow)	Log time on a task

All terms, rate limits, security requirements, and restrictions that apply to the IS.AI API also apply to MCP Server access.

5. Webhooks (Outgoing)

5.1 Overview

Outgoing webhooks allow IS.TEAM to send real-time event notifications to URLs you configure. When a supported event occurs, IS.TEAM sends an HTTP POST request to your endpoint with a JSON payload.

5.2 Supported Events

Event	Description	Trigger Source
`task.created`	A task was created	Incoming webhook
`task.completed`	A task was marked complete	IS.AI API
`task.moved`	A task was moved to a different card	IS.AI API
`task.commented`	A comment was posted	Comment notification

Note: Outgoing webhooks are triggered only by server-side events (API calls and incoming webhooks). Client-side actions do not currently trigger outgoing webhooks.

5.3 Webhook Management

Webhooks are managed through Workspace Settings → Webhooks (owner role required). Requires Pro plan or higher.

Maximum webhooks per workspace: 10
Webhook fields: Name, URL (HTTPS required), subscribed events, enabled/disabled toggle

CRUD/api/webhooks/outgoing

All webhook management endpoints require Firebase Auth with workspace owner role.

endpoints.txt

GET    /api/webhooks/outgoing        — List all (secrets stripped)POST   /api/webhooks/outgoing        — Create a new webhookPATCH  /api/webhooks/outgoing/{id}   — Update a webhookDELETE /api/webhooks/outgoing/{id}   — Delete a webhookAuthorization: Firebase Auth (workspace owner role)

5.4 Webhook Security — HMAC Signature

Every outgoing webhook request is signed with an HMAC-SHA256 signature using your webhook's secret key.

Signature Headers:

X-IsTeam-Signature: sha256={hex_digest}
X-IsTeam-Event: {event_name}
X-IsTeam-Delivery: {unique_delivery_id}

5.5 Verifying the Signature

CODEVerification Example

Always verify webhook signatures. Unverified webhooks are a security risk.

verify.js

const crypto = require("crypto");function verifyWebhookSignature(rawBody, signatureHeader, secret) {  const expected = "sha256=" + crypto    .createHmac("sha256", secret)    .update(rawBody, "utf8")    .digest("hex");  return crypto.timingSafeEqual(    Buffer.from(expected),    Buffer.from(signatureHeader)  );}

5.6 Webhook Payload Format

POSTYour Webhook URL

Fields in data are event-dependent: task.created includes task only; task.moved adds movedTo; task.commented adds comment + author.

headers.txt

POST {your_webhook_url}X-IsTeam-Signature: sha256={hex_digest}X-IsTeam-Event: task.createdX-IsTeam-Delivery: {unique_id}Content-Type: application/json

5.7 Delivery Behavior

Best-effort, fire-and-forget delivery
No retries for failed deliveries in the current version
10-second timeout — your endpoint must respond within 10 seconds
Return any 2xx status code to acknowledge receipt
Webhook URLs must be HTTPS
Delivery failures do not affect other IS.TEAM operations

5.8 Your Endpoint Responsibilities

Validate HMAC signatures before processing payloads
Process webhook events idempotently where possible
Do not rely on webhooks as the sole mechanism for critical business logic
IS.TEAM may suspend delivery to consistently failing endpoints

6. Webhooks (Incoming)

6.1 Create Task via Incoming Webhook

POST/api/webhooks/incoming

Creates a new task in the specified column. Required fields: workspaceId, boardId, columnTitle, title. Optional: type, priority, description.

request.json

POST /api/webhooks/incomingAuthorization: Bearer ist_{token}Content-Type: application/json{  "workspaceId": "wid_xxxxx",  "boardId": "board_xxxxx",  "columnTitle": "To Do",  "title": "New feature request from Zapier",  "type": "feature",  "priority": "medium",  "description": "Customer requested dark mode support"}

7. Desktop Timer API

The Desktop Timer API powers the standalone Tauri desktop app (macOS, Windows, Linux) for time tracking. These endpoints are authenticated via ist_ tokens.

7.1 Validate Token

GET/api/timer/validate

Validates the token and returns the associated workspace name.

request.json

GET /api/timer/validateAuthorization: Bearer ist_{token}

7.2 List Workspaces

GET/api/timer/workspaces

Returns all workspaces the token owner is a member of.

request.json

GET /api/timer/workspacesAuthorization: Bearer ist_{token}

7.3 List Boards

GET/api/timer/boards

Returns all boards in a workspace.

request.json

GET /api/timer/boards?workspaceId={id}Authorization: Bearer ist_{token}

7.4 Search Tasks

GET/api/timer/tasks

Searches for tasks by title or task number (max 20 results).

request.json

GET /api/timer/tasks?q={query}&workspaceId={id}&boardId={id}Authorization: Bearer ist_{token}

7.5 Active Timer

GET/api/timer/active

Manage the active timer. PUT creates a new timer or sends a heartbeat. DELETE stops the timer.

endpoints.txt

GET    /api/timer/active?workspaceId={id}    — Get active timerPUT    /api/timer/active                      — Start / heartbeatDELETE /api/timer/active?workspaceId={id}    — Stop timerAuthorization: Bearer ist_{token}

7.6 Save Time

POST/api/timer/save

Saves a completed time tracking session. duration in seconds (0–86,400). description, startedAt, stoppedAt are optional.

request.json

POST /api/timer/saveAuthorization: Bearer ist_{token}Content-Type: application/json{  "taskId": "task_xxxxx",  "duration": 1800,  "workspaceId": "wid_xxxxx",  "boardId": "board_xxxxx",  "description": "Worked on OAuth callback",  "startedAt": "2026-04-01T10:00:00.000Z",  "stoppedAt": "2026-04-01T10:30:00.000Z"}

8. Token Management API

8.1 List Tokens

GET/api/mcp/token

Returns all LLM API tokens for the authenticated user.

request.json

GET /api/mcp/tokenAuthorization: Firebase Auth

8.2 Create Token

POST/api/mcp/token

Creates a new API token. Requires Pro plan or higher. The raw token value is only returned once — store it securely.

request.json

POST /api/mcp/tokenAuthorization: Firebase AuthContent-Type: application/json{  "name": "My CI Token"}

8.3 Delete Token

DELETE/api/mcp/token

Permanently revokes and deletes the specified token.

request.json

DELETE /api/mcp/tokenAuthorization: Firebase AuthContent-Type: application/json{  "tokenId": "tok_xxxxx"}

9. Rate Limits

9.1 Rate Limit Tiers

IS.TEAM uses three rate limit tiers, enforced per IP address per route:

Tier	Limit	Window
Strict	10 req/min	60 seconds
Default	60 req/min	60 seconds
Relaxed	120 req/min	60 seconds

9.2 Endpoint Rate Limits

Endpoint	Rate Limit
`POST /api/mcp/exec`	Default (60/min)
`POST /mcp`	Strict (10/min)
`POST /api/webhooks/incoming`	Default (60/min)
`*/api/mcp/token`	Strict (10/min)
`/api/webhooks/outgoing/`	Default (60/min)
`*/api/timer/active`	Relaxed (120/min)
`/api/timer/` (others)	Default (60/min)

9.3 Rate Limit Response

429Too Many Requests

The Retry-After header indicates the number of seconds before the rate limit resets.

note.js

// When you exceed a rate limit:

9.4 Requesting Higher Limits

If your use case requires higher rate limits, contact hello@is.team with a description of your use case.

10. Zapier and Make.com Integration

IS.TEAM supports integration with Zapier and Make.com via incoming and outgoing webhooks.

10.1 Using Zapier/Make as an Action (Incoming)

Configure a Zapier/Make step to send an HTTP POST to /api/webhooks/incoming with a Bearer ist_{token} header and JSON body with required fields (workspaceId, boardId, columnTitle, title).

10.2 Using IS.TEAM as a Trigger (Outgoing)

Configure an outgoing webhook in Workspace Settings → Webhooks pointing to your Zapier “Webhooks by Zapier” Catch Hook URL or Make.com “Webhooks” module URL.

10.3 Third-Party Terms

Your use of Zapier or Make.com is governed by those platforms' own terms. IS.TEAM is not affiliated with Zapier or Make.com.

11. Prohibited API Uses

In addition to the prohibitions in the Acceptable Use Policy, you must not:

Use the API to systematically copy or archive IS.TEAM data for competitive intelligence
Circumvent per-card token scoping to discover or access other workspaces
Inject malicious content (XSS, SQL injection, command injection, prompt injection) via API fields
Use the API for denial-of-service attacks
Automate account creation, invitation sending, or billing operations without written approval
Access or modify data in cards for which you do not hold valid authorization
Distribute, resell, or sublicense API access without a separate written agreement

12. Changes to the API

We may add, modify, or deprecate API endpoints. We will:

Provide at least 60 days' advance notice for breaking changes
Mark deprecated endpoints with Deprecation response headers when feasible
Maintain backward compatibility for at least 60 days after deprecation

Breaking changes include: removing an endpoint, removing a required field, changing a field's type, reducing rate limits, or changing authentication.

13. Intellectual Property

IS.TEAM API IP: All API designs, documentation, and implementations are the intellectual property of IS.TEAM LLC.

Your Application IP: You retain ownership of applications you build using the API, subject to these Developer Terms.

Attribution: You may reference “Powered by IS.TEAM” or “Integrates with is.team” using our approved brand assets. You must not imply endorsement without prior written consent.

14. Disclaimer and Limitation of Liability

THE IS.TEAM API IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

IS.TEAM is not liable for:

Actions taken by automated agents under API tokens you have issued
Data loss or unintended changes caused by API operations you authorize
Failures of third-party webhook delivery
Business losses from API unavailability, rate limit enforcement, or API changes

15. Governing Law

These Developer Terms are governed by the same governing law and dispute resolution provisions as the main Terms of Service (Delaware law; AAA arbitration).

16. Contact

For API support, feature requests, or to report API-related security issues:

IS.TEAM LLC
8 The Green, Ste A
Dover, DE 19901
United States
Email: hello@is.team
Website: https://is.team