The current article is a general introduction of how to make requests to the FeatBit REST API, for a complete list of the APIs and how to use each of them, we have made a redoc powered document available at https://featbit-tio-api.zeabur.app/docs/index.html (opens in a new tab). If you are running FeatBit locally or on your server, you can also point to the url: URL_OF_API_SERVER/docs. For example, the url should be http://localhost:5000/docs (opens in a new tab) if you are running FeatBit on your local machine without https.


All REST API resources are authenticated with either personal or service access tokens. Other authentication mechanisms are not supported. You can manage personal access tokens on Integration/Access tokens page.

Authentication using request header

The only way to authenticate with the API is by adding an Authorization header containing your access token to your requests. The value of the Authorization header must be your access token. To learn how to add this header, please refer to Using FeatBit REST API.


All resources expect and return JSON response bodies. Error responses also send a JSON body. To learn more about the error format of the API, read Errors.

In practice this means that you always get a response with a Content-Type header set to application/json.

In addition, request bodies for PATCH, POST, and PUT requests must be encoded as JSON with a Content-Type header set to application/json.


The API always returns errors in a common format. Here's an example:

    "success": false,
    "errors": [
    "data": null

The errors indicates the general class of error.


The FeatBit API supports Cross Origin Resource Sharing (CORS) for AJAX requests from any origin. If an Origin header is given in a request, it will be echoed as an explicitly allowed origin. Otherwise the request returns a wildcard, Access-Control-Allow-Origin: *. For more information on CORS, read the CORS W3C Recommendation (opens in a new tab). Example CORS headers might look like:

Access-Control-Allow-Headers: Accept, Content-Type, Content-Length, Accept-Encoding, Authorization
Access-Control-Allow-Methods: OPTIONS, GET, DELETE, PATCH
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 300

You can make authenticated CORS calls just as you would make same-origin calls, using either access token authentication. You should never expose your access tokens to untrusted entities.