How to Use Ninety's Public API

Ninety's Public API gives our users programmatic access to the core resources customers manage in Ninety: To-Dos, Issues, Rocks, Milestones, Scorecard, and Teams. The same engine that powers Ninety's integrations is now available directly, so you can build your own integrations against the same surface. Each call authenticates with a Personal Access Token (PAT) you generate in your User Settings, runs as you, and respects all of your in-app permissions.

Video overview

What you can build with the API

The Public API is designed for customers, Implementers, and partners who already work in mixed tool stacks and want Ninety to connect to those tools directly. Common patterns include:

• Push Scorecard values automatically. Pipe Measurables values from your BI tool or data warehouse into Ninety on a recurring schedule, eliminating manual entry.
• Capture leadership-attention items from your other systems. Auto-create Issues in Ninety from your ticketing, support, or monitoring tools so nothing important gets lost.
• Bulk-create Rocks during quarterly planning. Create Rocks and Milestones from your strategy document, planning tool, or annual planning process without re-typing decisions.
• Build custom client tooling as an Implementer. Generate client dashboards, intake flows, and meeting prep materials from live Ninety data.
• Embed Ninety into your own product as a partner. Read and write Ninety data programmatically from inside your own application.

What the API includes

The v1 API covers the following resources. Refer to the API reference documentation for full endpoint signatures, parameters, and response shapes.

In API payloads, Measurables are referenced as kpis, and their values are referenced as scores. The API documentation reflects the exact field names used in requests and responses.

Who can use the API

API access is gated by both your Ninety subscription plan and your user role.

Plan requirements:

• The API is available on the Thrive subscription plan.
• The Accelerate, Essentials, and Free plans do not include API access at this time.

Role requirements:

• Owners, Admins, Implementers, Managers, and Managees (Team Members) can generate a Personal Access Token.
• Observers cannot generate tokens.

Rate limits

API requests are rate-limited by your company's subscription tier. Rate limits apply per user, and counts reset every second.

What happens if you exceed your rate limit:

If a request exceeds your tier's rate limit, the API returns a 429 Too Many Requests response. To handle 429 responses gracefully, back off for at least one second and retry. For sustained high-volume workloads, you have two options: design your client to stay under your tier's limit, or move to a higher tier in Ninety.

Need a higher rate limit?

If your tier's rate limit doesn't fit your workload, talk to your team about upgrading to a higher subscription tier.

How to generate a Personal Access Token

You generate Personal Access Tokens from your own User Settings. Each token is tied to your individual user and inherits the permissions your role gives you in the Ninety app.

1. Click your name from the bottom of the left navigation.
2. Click User Settings.
3. Click Developer Settings.
4. Click Generate New Token in the top right.
5. In the Generate Personal Access Token dialog, choose a Token Expiration Timeframe from the dropdown. The default is 90 days.
6. Enter a Token Description to identify what this token is for (50 character limit).
7. Click Generate Token.
8. Copy the token immediately and store it somewhere secure.

The Developer Settings page also lists best practices for managing your tokens over time: rotate tokens regularly (every 90 days is a good default), revoke tokens you're no longer using, and monitor each token's Last used timestamp for unexpected activity.

How to authenticate API requests

The API is a REST service that lives at https://api.public.ninety.io/v1. Authenticate each request by passing your Personal Access Token as a Bearer token in the Authorization header.

A quick way to verify your token works is to call GET /teams, which lists the teams you have access to in your company. If your token is valid, you'll receive a 200 OK response with your team list.

For full request and response details, including all required headers, parameters, and response shapes, refer to the API documentation.

Permissions and scope

Every API call honors the user and company boundaries Ninety enforces inside the app.

• Per-user scope. Each call executes as the user who generated the token. All actions are recorded against that user in Ninety's audit log.
• Per-company scope. Tokens are scoped to the company associated with the user. You cannot read or write data from another company through your token, even if you belong to multiple Ninety companies. Generate a separate token from each company's User Settings if you need cross-company access.
• In-app permissions enforced. If your role does not allow you to delete a Rock from another team in the Ninety app, the API will reject the same call. There is no admin or superuser override.
• No assignment to other users. All items created or updated through the API are assigned to the authenticated user. The API does not support assigning items to other users in v1.

What's not in v1

The first version of the API focuses on the highest-demand resources and operations. The following are not supported in v1 and may be added in future releases.

• No user directory or assignment endpoints. You cannot list users or assign items to anyone other than the token holder.
• No read endpoint for Scorecard values. You can write and delete Scores and Notes, but you cannot read them back through the API in v1.
• No delete endpoint for Milestones. Milestones can be created and updated through the API; deletion is not yet supported.
• No webhooks or push notifications. Clients poll the query endpoints. Webhook support is on the roadmap for a future release.
• No bulk-write operations across resources. Each create, update, and delete acts on one item at a time.

Full API reference

The complete reference for endpoint signatures, request and response shapes, parameters, error codes, and example payloads lives in the API reference documentation.

The API reference documentation is the authoritative reference. This help article provides orientation and the rules around access, rate limits, and permissions.

Frequently asked questions

Which plans include API access?

The Public API is available on the Essentials, Accelerate, and Thrive subscription plans. The Free plan does not include API access.

Can I generate a token as an Observer?

No. Observers cannot generate Personal Access Tokens or call the API. If you need API access, ask your company's Owner or Admin to change your role.

Can an Admin or Implementer generate tokens for other users?

No. Every user generates and manages their own tokens from their own User Settings. There is no admin-level token management in v1.

What happens if I hit my rate limit?

You'll receive a 429 Too Many Requests response. Back off for at least one second and retry. If you regularly hit the limit, talk to your team about upgrading to a higher subscription tier.

Can I read Scorecard values through the API?

Not in v1. You can write and delete Scores and Notes per Measurable and period, but you cannot read them back. You can, however, query the list of Measurables themselves.

How does the Public API compare to the Zapier integration?

The Public API gives you direct, code-level access to the same engine that powers Ninety's Zapier integration and the native integrations. Use the API when you need custom logic, your own UI, or volume beyond what Zapier supports. Use Zapier when you want a no-code path or pre-built recipes.

Is there an SDK or client library?

Not in v1. The API is a standard REST service over HTTPS, usable from any HTTP client, language, or platform. Use the API reference documentation to generate a client in your preferred language.

Can I have more than one Personal Access Token?

Yes. You can generate multiple tokens from User Settings > Developer Settings. Use the Token Description field to label each token for the integration or use case it's for. Revoke any tokens on the same page when you no longer need them.

What if I lose my token?

Generate a new one from User Settings > Developer Settings. Tokens are only displayed in full once, at the moment they're created, so a lost token cannot be recovered.