Resources/The Agent API Atlas/Productivity/Basecamp

Everything an AI agent can do with the Basecamp API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints32

API versionBC3

Last updated23 June 2026

Orientation

How the Basecamp API works.

The Basecamp API is how an app or AI agent works with a Basecamp account: listing and creating projects, adding and completing to-dos, posting messages and documents, and sending lines into Campfire chats. Access is granted through a single OAuth token tied to one account, and that token can read and write everywhere the person who authorized it belongs, since Basecamp has no granular per-endpoint permissions. Basecamp can also push events to a webhook when something happens in a project.

32Endpoints

10Capability groups

16Read

16Write

1Permissions

Authentication

Every request uses an OAuth 2.0 access token, obtained after a person authorizes the app at launchpad.37signals.com and picks which account to use. Access tokens last two weeks and are renewed with a refresh token. Each request must also send a User-Agent header that identifies the app and gives a contact, or it is rejected with a 400. There is no API key or password option.

Permissions

Basecamp has no granular per-endpoint scopes. One OAuth token grants account-level access, and what it can reach is bounded entirely by the project memberships of the person who authorized it. A token can read and write every tool in every project that person belongs to, and nothing outside them. This is why governing access at the gateway matters: the API itself cannot narrow a token to read-only or to a single project.

Versioning

The current API is the BC3 generation, used by Basecamp 3 and Basecamp 4. It carries no version segment in the path and no version header to pin. Changes ship through updates to the public documentation rather than new dated versions, so an integration tracks a single, continuously current API.

Data model

Everything lives inside a project, called a bucket internally. A project's dock lists its enabled tools, such as the to-do set, message board, vault, schedule, and Campfire, each with the id needed to reach it. Most items are recordings, a shared base type, so endpoints for comments and for trashing or archiving work across every tool. Newer flat routes sit alongside legacy /buckets/{id}/ project-scoped routes that still work.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Basecamp determines what it can reach. Access runs through an OAuth 2.0 token tied to one account, and that token can read and write everywhere the authorizing person can.

Ways to connect

REST API

The BC3 REST API answers at https://3.basecampapi.com, with every path prefixed by the account id and ending in .json. A User-Agent header that identifies the app is required, or the request is rejected.

Best forConnecting an app or AI agent to Basecamp.

Governed byThe OAuth token and the project memberships of the person who authorized it.

Docs ↗

Webhooks

Webhooks deliver project events to a receiver URL over HTTPS. Each webhook is created on a single project, and Basecamp retries delivery with exponential backoff when the receiver fails.

Best forReceiving project activity without polling.

Governed byThe OAuth token used to create the webhook on a project.

Docs ↗

Chatbots

A chatbot posts lines to a Campfire using its own access key rather than an OAuth token. Its endpoint includes the project-scoped /buckets/{id}/ prefix and the chatbot key in the path.

Best forPosting automated messages into a Campfire chat.

Governed byThe chatbot's access key, scoped to the Campfires it is added to.

Docs ↗

Authentication

OAuth 2.0

OAuth 2.0 is the way an app or AI agent authorizes against Basecamp. A person grants access, the app receives an access token tied to one account, and that token can read and write everywhere the person can. There are no granular per-endpoint scopes.

TokenOAuth access token

Best forConnecting an app or AI agent to Basecamp

Docs ↗

Chatbot access key

A chatbot has its own access key instead of an OAuth token. It can only post lines into the Campfires it has been added to, and cannot reach the rest of the API.

TokenChatbot access key

Best forPosting messages into a Campfire as a bot

2 endpoints

List a project's webhooks and create a new one to receive events.

A webhook sends project activity to an outside URL.

View endpoints →

Endpoint reference

Every Basecamp API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Projects List, read, create, and update projects, and trash a project. Each project holds a dock of enabled tools.5
GET	`/projects.json`	List active projects visible to the current user, newest first. A status parameter can filter for archived or trashed projects.	read	`Account access`	Current
Returns only the projects the authorizing person belongs to. Basecamp has no granular per-endpoint scopes; one OAuth token grants account-level access bounded by the person's project memberships. Acts onproject Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/projects/{id}.json`	Get a single project, including a dock array of its tools and whether each is enabled.	read	`Account access`	Current
The dock holds the ids needed to reach the project's to-do set, message board, vault, schedule, and Campfire. Acts onproject Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/projects.json`	Create a project. A name is required and a description is optional. Returns 507 if the account project limit is reached.	write	`Account access`	Current
Project creation is bounded by the account's plan limit, not by a separate permission. Acts onproject Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/projects/{id}.json`	Update a project's name, description, schedule dates, and access policy. The name is required.	write	`Account access`	Current
Changing the access policy can admit or remove people from the whole project. Acts onproject Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/projects/{id}.json`	Trash a project. Trashed projects are permanently deleted after 30 days. Returns 204 on success.	write	`Account access`	Current
This removes the entire project and every tool inside it from where people see it. Acts onproject Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
To-do lists & to-dos List and create to-do lists, list and create to-dos, and mark a to-do complete.5
GET	`/todosets/{id}/todolists.json`	List the active to-do lists in a project's to-do set.	read	`Account access`	Current
The to-do set id comes from the project's dock. Acts onto-do list Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/todosets/{id}/todolists.json`	Create a to-do list in a project's to-do set. A name is required.	write	`Account access`	Current
Fires the todolist_created webhook event on the project. Acts onto-do list Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook event`todolist_created` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/todolists/{id}/todos.json`	List the active to-dos in a to-do list.	read	`Account access`	Current
A completed parameter can include finished to-dos. Acts onto-do Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/todolists/{id}/todos.json`	Create a to-do in a to-do list. Content is required, with optional description, assignees, and due date.	write	`Account access`	Current
Assigning people notifies them. Fires the todo_created webhook event. Acts onto-do Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook event`todo_created` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/todos/{id}/completion.json`	Mark a to-do as completed.	write	`Account access`	Current
The matching DELETE on the same path reopens the to-do. Fires the todo_completed webhook event. Acts onto-do Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook event`todo_completed` Rate limitStandard limits apply SourceOfficial documentation ↗
Messages List, read, create, and update messages on a project's message board.4
GET	`/message_boards/{id}/messages.json`	List the active messages on a project's message board.	read	`Account access`	Current
The message board id comes from the project's dock. Acts onmessage Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/messages/{id}.json`	Get a single message by id.	read	`Account access`	Current
Reachable only when the token's person belongs to the project that holds the message. Acts onmessage Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/message_boards/{id}/messages.json`	Create a message on a message board. A subject is required, with optional content and category.	write	`Account access`	Current
A posted message notifies everyone subscribed to the board. Fires the message_created webhook event. Acts onmessage Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook event`message_created` Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/messages/{id}.json`	Update a message's subject, content, or category.	write	`Account access`	Current
Editing the subject or content fires message_title_updated or message_content_updated. Acts onmessage Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Documents List, read, create, and update documents inside a project's vault.3
GET	`/vaults/{id}/documents.json`	List the active documents in a project's vault.	read	`Account access`	Current
A vault is the folder that holds a project's documents and uploads. Its id comes from the project's dock. Acts ondocument Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/vaults/{id}/documents.json`	Create a document in a vault. A title and content are required. Returns 201 on success.	write	`Account access`	Current
Content is rich text and accepts the same HTML Basecamp's editor produces. Fires the document_created webhook event. Acts ondocument Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook event`document_created` Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/documents/{id}.json`	Update a document's title and content. Returns 200 on success.	write	`Account access`	Current
Editing fires document_title_updated or document_content_updated. Acts ondocument Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Comments List and read comments on any recording, and post a new comment.2
GET	`/recordings/{id}/comments.json`	List the active comments on any recording, such as a message, document, or to-do.	read	`Account access`	Current
A recording is the shared base type for commentable items, so the same endpoint serves every tool. Acts oncomment Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/recordings/{id}/comments.json`	Post a comment on a recording. Content is required.	write	`Account access`	Current
A posted comment notifies the people following that item. Fires the comment_created webhook event. Acts oncomment Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook event`comment_created` Rate limitStandard limits apply SourceOfficial documentation ↗
Campfires (chats) List Campfires, read their lines, and post a new line to a Campfire chat.3
GET	`/chats.json`	List all active Campfires, the real-time group chats, visible to the current user.	read	`Account access`	Current
Each Campfire belongs to one project the person can see. Acts oncampfire Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/chats/{id}/lines.json`	List the lines, the individual chat messages, in a Campfire.	read	`Account access`	Current
Returns the recent chat history of the Campfire. Acts oncampfire line Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/chats/{id}/lines.json`	Post a new line to a Campfire. Content is required.	write	`Account access`	Current
A posted line is visible to everyone in the Campfire. A separate chatbot key, not OAuth, can also post lines. Acts oncampfire line Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Schedules Read a project's schedule and update its settings.2
GET	`/schedules/{id}.json`	Get a project's schedule. The schedule id comes from the project's dock.	read	`Account access`	Current
The schedule holds the project's dated entries. Acts onschedule Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/schedules/{id}.json`	Update a schedule's settings, such as whether it includes due dates from to-dos, cards, and steps.	write	`Account access`	Current
The include_due_assignments parameter controls whether dated assignments appear on the schedule. Acts onschedule Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
People List all people, list people on a project, and read a person's profile.3
GET	`/people.json`	List all people visible to the current user across the account.	read	`Account access`	Current
Returns names, email addresses, titles, and avatar URLs for the people on the account. Acts onperson Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/projects/{id}/people.json`	List the active people on a single project.	read	`Account access`	Current
Shows who can see and act within the project. Acts onperson Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/people/{id}.json`	Get a single person's profile by id.	read	`Account access`	Current
Returns the person's name, email address, and other profile fields. Acts onperson Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Recordings List recordings of any type across projects, and trash or archive a single recording.3
GET	`/projects/recordings.json`	List recordings of one type across projects, such as Todo, Message, Document, Comment, or Upload, with filters for bucket, status, and sort.	read	`Account access`	Current
A recording is the shared base type behind nearly every item in a project, so this is the cross-project way to find items of one kind. Acts onrecording Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/recordings/{id}/status/trashed.json`	Trash a recording, such as a message, document, or to-do. Returns 204 on success.	write	`Account access`	Current
Removes the item from where people see it. A matching status/active call restores it. Acts onrecording Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/recordings/{id}/status/archived.json`	Archive a recording. Returns 204 on success.	write	`Account access`	Current
Archiving hides the item without deleting it. A status/active call unarchives it. Acts onrecording Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Webhooks List a project's webhooks and create a new one to receive events.2
GET	`/buckets/{id}/webhooks.json`	List the webhooks set up on a single project.	read	`Account access`	Current
A bucket is the internal name for a project, so this lists that project's webhooks. Acts onwebhook Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/buckets/{id}/webhooks.json`	Create a webhook on a project. A payload URL is required, with an optional list of event types to receive.	write	`Account access`	Current
Webhooks are created per project, not account-wide, so each project needs its own. Acts onwebhook Permission (capability)`Account access` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Basecamp can notify an app or AI agent when something happens in a project, instead of the app repeatedly asking. A webhook is created on a single project, and Basecamp posts a payload to its URL whenever a matching event fires there.

Event	What it signals	Triggered by
`todo_created`	Fires when a to-do is created in a project.	`/todolists/{id}/todos.json`
`todo_completed`	Fires when a to-do is marked complete.	`/todos/{id}/completion.json`
`todolist_created`	Fires when a to-do list is created in a project's to-do set.	`/todosets/{id}/todolists.json`
`message_created`	Fires when a message is posted to a project's message board.	`/message_boards/{id}/messages.json`
`document_created`	Fires when a document is created in a project's vault.	`/vaults/{id}/documents.json`
`comment_created`	Fires when a comment is posted on a recording.	`/recordings/{id}/comments.json`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Basecamp limits how fast an app or AI agent can call, through a request quota measured per IP address over a short window. Going over returns a 429 response with a Retry-After header that says how long to wait.

Request rate

Basecamp applies several dynamic rate limits, and the one most commonly hit is 50 requests per 10 second window per IP address. Going over returns a 429 response with a Retry-After header giving the seconds to wait before the next request. Server errors in the 500 range should be retried with exponential backoff, while a 404 should not be retried automatically. Every request must carry a User-Agent header naming the app, or it is rejected with 400.

Pagination

Collections use link-based pagination through a Link header, following the RFC 5988 convention, rather than page-number parameters. Basecamp uses geared pagination, where page sizes grow from 15 to 30 to 50 and then 100 or more as paging continues. An empty Link header means the last page has been reached, and an X-Total-Count header gives the total number of items.

Request size

All data is JSON with snake_case keys and no root element, and every API URL ends in .json. POST and PUT requests must send the Content-Type header application/json; charset=utf-8, or the request is rejected with 415. Rich text fields, such as message and document content, accept HTML.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
400	`Bad Request`	The request is malformed, most often because the required User-Agent header that identifies the app is missing.	Send a User-Agent header that names the app and includes a contact, then resend.
401	`Unauthorized`	Authentication is missing or the access token is invalid or expired. Tokens last two weeks.	Refresh the access token using the refresh token, then retry.
403	`Forbidden`	The token is valid but the person is not allowed to perform the action on this resource.	Confirm the person belongs to the project and has permission for the action.
404	`Not Found`	The resource does not exist, has been deleted, or the token cannot see it. Basecamp advises against automatically retrying a 404.	Confirm the path and that the person has access, and do not retry automatically.
415	`Unsupported Media Type`	A POST or PUT was sent without the Content-Type application/json; charset=utf-8 header.	Set the Content-Type header to application/json; charset=utf-8 and resend.
429	`Too Many Requests`	The rate limit was exceeded. The commonly hit limit is 50 requests per 10 second window per IP address.	Wait the number of seconds in the Retry-After header before sending the next request.
507	`Insufficient Storage`	Returned when creating a project would exceed the account's project limit.	Free up a project slot or upgrade the account, then retry.

Versioning & freshness

Version history.

Basecamp does not use dated API versions. The current generation is the BC3 API, served without a version segment in the path, and changes ship through updates to the public documentation rather than new version strings.

Version history

What changed, and when

Latest versionBC3

BC3Current version

The BC3 API (current)

The BC3 API is the current generation, serving Basecamp 3 and Basecamp 4. It uses OAuth 2.0, carries no version segment in its paths, and has no version header to pin. Changes are published as updates to the public bc3-api documentation rather than as new dated versions, so an integration tracks a single, continuously current API. The dated entries below are notable documentation updates from the public bc3-api repository.

What changed

OAuth 2.0 authorization through launchpad.37signals.com, with two-week access tokens and refresh tokens
Account-level access with no granular per-endpoint scopes, bounded by the person's project memberships
Flat resource routes introduced alongside the legacy /buckets/{id}/ project-scoped routes, which still work
Per-project webhooks deliver lifecycle events such as todo_created, message_created, and comment_created

2026-06-17Feature update

Sync with changes from Basecamp 5

Documentation was updated to reflect changes from the Basecamp 5 line, including bubble ups and email-address redaction.

What changed

Documented bubble ups
Documented email-address redaction behavior

2026-03-24Feature update

Campfire content_type and card-step assignees

The optional content_type parameter was documented for rich-text Campfire lines, and card steps were documented as accepting an assignee_ids array, matching to-dos and cards.

What changed

Documented the optional content_type parameter on Campfire line creation
Documented the assignee_ids array for card steps

2026-03-14Feature update

Flat routes become canonical

Flat resource routes were presented as the primary paths for dock tool endpoints, with the legacy /buckets/{id}/ project-scoped routes kept working alongside them.

What changed

Flat routes documented as the canonical paths for dock tool endpoints
Legacy /buckets/{id}/ project-scoped routes retained

2026-03-11Feature update

Upload versions and Campfire uploads

New sections documented upload version history, card-table move endpoints, hill charts, and Campfire file uploads.

What changed

Documented upload versions and card-table move endpoints
Added the hill charts section
Documented Campfire file-upload endpoints

An integration tracks the single current API, with no version header to pin.

Basecamp API changelog ↗

Questions

Basecamp API, answered.

How does an agent authenticate with Basecamp?+

Through OAuth 2.0. A person authorizes the app at launchpad.37signals.com and chooses which Basecamp account to grant, and the app receives an access token tied to that account. The token lasts two weeks and is renewed with a refresh token. Every request must also carry a User-Agent header naming the app, or Basecamp rejects it with a 400.

Can I limit a token to read-only or to one project?+

Not through the API. Basecamp has no granular per-endpoint scopes. A single OAuth token grants account-level access, and what it reaches is decided only by the project memberships of the person who authorized it. The token can read and write every tool in every project that person belongs to. Narrowing access to read-only, or to a single project, has to be enforced in front of the API, which is what a gateway like Bollard does.

What are the rate limits?+

Basecamp applies several dynamic limits, and the one most commonly hit is 50 requests per 10 second window per IP address. Going over returns a 429 with a Retry-After header that says how many seconds to wait. Server errors in the 500 range should be retried with exponential backoff, but a 404 should not be retried automatically.

How does pagination work?+

Collections page through a Link header following the RFC 5988 convention, not page-number parameters. Basecamp uses geared pagination, where each page grows larger, from 15 to 30 to 50 and then 100 or more. An empty Link header means the last page, and an X-Total-Count header gives the total item count. The next link should be followed rather than built by hand.

How does an agent receive events instead of polling?+

Through webhooks. A webhook is created on a single project with a receiver URL and an optional list of event types, such as todo_created, message_created, or comment_created. Basecamp posts a JSON payload to that URL whenever a matching event fires, and retries with exponential backoff when delivery fails. Because webhooks are per project, each project an agent watches needs its own.

What is a recording, and why do so many endpoints use it?+

A recording is the shared base type behind nearly every item in a project, such as a message, document, to-do, or upload. Because they share that base, common actions work across all of them through one set of endpoints: comments are listed and posted on any recording, and trashing or archiving uses the same status endpoints whatever the item is.

Does Basecamp have an official MCP server?+

No. Basecamp does not publish a first-party Model Context Protocol server. Several community and third-party MCP servers wrap the BC3 API, but none is built or maintained by Basecamp, so they are not listed here as an official connection method.

What is Bollard AI?

Control what every AI agent can do in Basecamp.

Bollard AI sits between a team's AI agents and Basecamp. Grant each agent exactly the access it needs, read or write, project area by project area, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Basecamp token.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Basecamp access in Bollard Browse all APIs →

Basecamp

Project Agent

Read projects and to-dos ResourceOffReadFull use

Post Campfire messages ActionOffReadFull use

Trash projects and recordings ActionOffReadFull use

Per-agent access, set in Bollard AI, not in Basecamp

How the Basecamp API works.

Connection & authentication methods.

REST API

Webhooks

Chatbots

OAuth 2.0

Chatbot access key

What an AI agent can do in Basecamp.

Projects

To-do lists & to-dos

Messages

Documents

Comments

Campfires (chats)

Schedules

People

Recordings

Webhooks

Every Basecamp API method.

Projects

To-do lists & to-dos

Messages

Documents

Comments

Campfires (chats)

Schedules

People

Recordings

Webhooks

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Basecamp API, answered.

More productivity API guides for agents

Shortcut

Aha!

Miro

Canny

Coda

Notion

Control what every AI agent can do in Basecamp.