Authentication

All requests to the Productboard REST API v2 must be authenticated. We support four authentication methods to suit different use cases:

1. API Token (Personal Access Token)

Use this if you're:

  • Making requests from a script, CLI, or server you control
  • Building a private integration
  • Just getting started and want the simplest setup

How to authenticate with an API token


2. OAuth 2.0 (Authorization Code)

Use this if you’re:

  • Building a public or third-party integration
  • Acting on behalf of multiple Productboard users
  • Handling dynamic user consent and refreshable access tokens

Set up OAuth 2.0 Authorization Code


3. OAuth Server-to-Server (JWT)

Use this if you’re:

  • Running a fully backend integration with no user-facing UI
  • Automating backend-to-backend jobs or pipelines
  • Acting on behalf of specific users in your Productboard workspace (e.g. syncing data as them for permissioning or audit)

Set up OAuth Server-to-Server


4. OAuth for MCP Clients (Dynamic Client Registration + PKCE)

Use this only if you’re:

  • Building an MCP (Model Context Protocol) client that registers itself and signs in on a user's behalf

This is a specialized flow for MCP clients, not a general REST API method. Connecting an existing agent (Claude Code, Cursor, …) needs none of it — see Connecting your agent.

Set up OAuth for MCP Clients


Not sure which one to choose?

Here’s a quick guide:

Use caseRecommended method
Simple scripts or internal toolsAPI Token
Public apps with user sign-in and consentOAuth 2.0 (Authorization Code)
Backend automation acting as specific usersOAuth Server-to-Server (JWT)

→ Still not sure? Start with API Token for the fastest setup.


Passing the token in requests

All methods require the Authorization header:

Authorization: Bearer <your-token>

Example with curl:

curl -X GET "https://api.productboard.com/v2/notes" \
  -H "Authorization: Bearer <your-token>" \
  -H "Accept: application/json"

Troubleshooting

If you receive a 401 Unauthorized response:

  • Check that your token is valid and not expired
  • Make sure you're using the correct authentication flow
  • Confirm that your request is going to the /v2 base URL

Need help or have questions?