Resources/The Agent API Atlas/Sales/Outreach

Everything an AI agent can do with the Outreach API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints27

API versionv2

Last updated23 June 2026

Orientation

How the Outreach API works.

The Outreach API is how an app or AI agent works with an Outreach instance: creating a prospect, adding that prospect to a sequence, sending a mailing, or logging a call or task. Access is granted through an OAuth token whose scopes name each resource and the level of access, read, write, delete, or all, so a token reaches only the resources it was granted. Outreach can also push an event to a registered URL when something changes, like a prospect being created or an email being opened.

27Endpoints

9Capability groups

14Read

13Write

18Permissions

Authentication

Outreach uses OAuth 2.0. An integration sends a user through the authorize endpoint, requests scopes, and exchanges the code for a bearer access token that expires after 2 hours; a refresh token, valid 14 days, gets a new one without re-prompting. A server-to-server token represents the application instead of a user and lasts one hour with no refresh.

Permissions

A scope is a pluralized resource name plus an access token, one of read, write, delete, or all, like prospects.read or sequenceStates.write. Scopes are not additive, so prospects.write does not grant read; the all token covers every access for that resource. A request whose token lacks the needed scope returns 403.

Rate limits

Outreach allows 10,000 requests per hour per user. Each response reports the ceiling, the remaining count, and the reset time through the X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers, and going over returns HTTP 429. Some endpoints apply their own special rules.

Data model

The API follows the JSON:API 1.0 specification: resources have a type, attributes, and relationships, and requests use the application/vnd.api+json content type. Putting a prospect into a sequence is itself a resource, a sequenceState, created with references to the prospect, the sequence, and a mailbox. Lists support filtering, sorting, sparse fieldsets, and including related resources.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Outreach determines what it can reach. There is a route for making calls, a route for receiving events, and a hosted server that exposes Outreach tools to agents, and each is governed by the token behind it and the permissions that token carries.

Ways to connect

REST API

The REST API follows the JSON:API 1.0 specification at https://api.outreach.io/api/v2. A request sends and accepts the application/vnd.api+json content type, and a request without it is rejected. Resources carry a type, attributes, and relationships, and lists support filtering, sorting, sparse fieldsets, and including related resources. A call authenticates with an OAuth 2.0 bearer token whose scopes set which resources it can read or write.

Best forConnecting an app or AI agent to Outreach.

Governed byThe OAuth token and the scopes it carries.

Docs ↗

MCP server

A hosted Model Context Protocol server at https://api.outreach.io/mcp exposes Outreach tools to AI agents and MCP clients. It is generally available and authenticates each user with OAuth, requiring a client that supports OAuth 2.1 and Dynamic Client Registration. It exposes tools across prospecting, accounts, sequences, deals, users, and meetings, like prospect lookup, search, create, and delete. It requires the Amplify add-on on the user's plan.

Best forConnecting an AI agent to Outreach through MCP.

Governed byThe OAuth grant the user signs in with.

Docs ↗

Webhooks

Outreach POSTs an event to an HTTPS URL registered through the webhooks resource. A webhook can be scoped to a resource and an action, like prospect and created, or use a wildcard to receive everything. The receiver gets a payload describing what changed, so an integration reacts to activity without polling.

Best forReceiving Outreach events at an app or AI agent.

Governed byThe registered URL and the resource and action filters on it.

Docs ↗

Authentication

OAuth 2.0 (authorization code)

An integration redirects a user to https://api.outreach.io/oauth/authorize, requests a set of scopes, and exchanges the returned code at https://api.outreach.io/oauth/token for an access token. Scopes are period-separated, a pluralized resource name plus an access token of read, write, delete, or all, like prospects.read or sequenceStates.write. Scopes are not additive, so prospects.write does not grant read.

TokenBearer access token (expires after 2 hours)

Best forAn app acting for a signed-in Outreach user.

Docs ↗

Refresh token

Because an access token expires after 2 hours, an integration exchanges a refresh token at the token endpoint for a new access token without sending the user through sign-in again. A refresh token stays valid for 14 days, and a user and application pair can hold up to 100 refresh tokens at once.

TokenRefresh token (valid 14 days)

Best forKeeping access alive between user sessions.

Docs ↗

Server-to-server token

A server-to-server token represents the application rather than a user, and is issued per organization installation. The app signs a JWT with its private key to fetch a setup token and installation id, then exchanges those for the token. It carries scopes the same way as user tokens and stays valid for one hour, with no refresh, so a new one is requested as needed.

TokenS2S token (valid 1 hour, no refresh)

Best forBackground jobs with no signed-in user.

Docs ↗

Capability map

What an AI agent can do in Outreach.

The Outreach API is split into areas an agent can act on, like prospects, accounts, sequences, mailings, calls, and tasks. Each area has its own methods and its own permission, and a write in some areas sends real email or moves a prospect through a sequence.

Prospects

5 endpoints

Methods for working with prospects, the people an agent reaches out to.

A write here changes real prospect records.

View endpoints →

Accounts

4 endpoints

Methods for working with accounts, the companies prospects belong to.

A write here changes real account records.

View endpoints →

Sequences

3 endpoints

Methods for working with sequences, the multi-step outreach campaigns.

A write here changes real sequence definitions.

View endpoints →

Sequence states

3 endpoints

Methods for placing a prospect into a sequence and tracking its progress.

A write here starts, pauses, or finishes real outreach to a prospect.

View endpoints →

Mailings

3 endpoints

Methods for working with mailings, the individual emails sent to prospects.

A write here can send a real email.

View endpoints →

Calls

2 endpoints

Methods for working with logged calls to prospects.

A write here changes real call records.

View endpoints →

Tasks

3 endpoints

Methods for working with tasks, the to-dos that drive rep activity.

A write here changes real task records.

View endpoints →

Templates

2 endpoints

Methods for working with email templates used in outreach.

A write here changes shared template content.

View endpoints →

Users

2 endpoints

Methods for reading the people in an Outreach instance.

Reads here expose names, email addresses, and roles.

View endpoints →

Endpoint reference

Every Outreach API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Prospects Methods for working with prospects, the people an agent reaches out to.5
GET	`/api/v2/prospects`	List prospects, with filtering, sorting, and sparse fieldsets.	read	`prospects.read`	Current
Read-only. The prospects.all scope also grants read. Acts onprospect Permission (capability)`prospects.read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v2/prospects/{id}`	Retrieve a single prospect by id.	read	`prospects.read`	Current
Read-only. Acts onprospect Permission (capability)`prospects.read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/prospects`	Create a prospect, the person an outreach campaign targets.	write	`prospects.write`	Current
The prospects.write scope does not grant read; use prospects.all for both. Acts onprospect Permission (capability)`prospects.write` VersionAvailable since the API’s base version Webhook event`prospect.created` Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/api/v2/prospects/{id}`	Update a prospect's attributes or relationships.	write	`prospects.write`	Current
A core write. Acts onprospect Permission (capability)`prospects.write` VersionAvailable since the API’s base version Webhook event`prospect.updated` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/api/v2/prospects/{id}`	Delete a prospect.	write	`prospects.delete`	Current
Delete is a separate token from write; prospects.all also grants it. Acts onprospect Permission (capability)`prospects.delete` VersionAvailable since the API’s base version Webhook event`prospect.destroyed` Rate limitStandard limits apply SourceOfficial documentation ↗
Accounts Methods for working with accounts, the companies prospects belong to.4
GET	`/api/v2/accounts`	List accounts, the companies prospects belong to.	read	`accounts.read`	Current
Read-only. The accounts.all scope also grants read. Acts onaccount Permission (capability)`accounts.read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v2/accounts/{id}`	Retrieve a single account by id.	read	`accounts.read`	Current
Read-only. Acts onaccount Permission (capability)`accounts.read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/accounts`	Create an account record.	write	`accounts.write`	Current
The accounts.write scope does not grant read; use accounts.all for both. Acts onaccount Permission (capability)`accounts.write` VersionAvailable since the API’s base version Webhook event`account.created` Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/api/v2/accounts/{id}`	Update an account's attributes or relationships.	write	`accounts.write`	Current
A core write. Acts onaccount Permission (capability)`accounts.write` VersionAvailable since the API’s base version Webhook event`account.updated` Rate limitStandard limits apply SourceOfficial documentation ↗
Sequences Methods for working with sequences, the multi-step outreach campaigns.3
GET	`/api/v2/sequences`	List sequences, the multi-step outreach campaigns.	read	`sequences.read`	Current
Read-only. The sequences.all scope also grants read. Acts onsequence Permission (capability)`sequences.read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v2/sequences/{id}`	Retrieve a single sequence by id.	read	`sequences.read`	Current
Read-only. Acts onsequence Permission (capability)`sequences.read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/sequences`	Create a sequence definition.	write	`sequences.write`	Current
The sequences.write scope does not grant read; use sequences.all for both. Acts onsequence Permission (capability)`sequences.write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Sequence states Methods for placing a prospect into a sequence and tracking its progress.3
GET	`/api/v2/sequenceStates`	List sequence states, each one a prospect's place in a sequence.	read	`sequenceStates.read`	Current
Read-only. The sequenceStates.all scope also grants read. Acts onsequenceState Permission (capability)`sequenceStates.read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/sequenceStates`	Add a prospect to a sequence by creating a sequence state, referencing the prospect, the sequence, and a mailbox.	write	`sequenceStates.write`	Current
This is how outreach to a prospect starts; the new state begins active on the first step. Acts onsequenceState Permission (capability)`sequenceStates.write` VersionAvailable since the API’s base version Webhook event`sequenceState.created` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/sequenceStates/{id}/actions/finish`	Finish a sequence state, removing the prospect from the sequence.	write	`sequenceStates.write`	Current
An action endpoint; stops further steps for that prospect. Acts onsequenceState Permission (capability)`sequenceStates.write` VersionAvailable since the API’s base version Webhook event`sequenceState.finished` Rate limitStandard limits apply SourceOfficial documentation ↗
Mailings Methods for working with mailings, the individual emails sent to prospects.3
GET	`/api/v2/mailings`	List mailings, the individual emails sent to prospects.	read	`mailings.read`	Current
Read-only. The mailings.all scope also grants read. Acts onmailing Permission (capability)`mailings.read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v2/mailings/{id}`	Retrieve a single mailing by id, including its open and reply state.	read	`mailings.read`	Current
Read-only. Acts onmailing Permission (capability)`mailings.read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/mailings`	Create a mailing, an email scheduled or sent to a prospect.	write	`mailings.write`	Current
A write here can result in a real email being sent. Acts onmailing Permission (capability)`mailings.write` VersionAvailable since the API’s base version Webhook event`mailing.created` Rate limitStandard limits apply SourceOfficial documentation ↗
Calls Methods for working with logged calls to prospects.2
GET	`/api/v2/calls`	List calls logged against prospects.	read	`calls.read`	Current
Read-only. The calls.all scope also grants read. Acts oncall Permission (capability)`calls.read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/calls`	Log a call against a prospect.	write	`calls.write`	Current
The calls.write scope does not grant read; use calls.all for both. Acts oncall Permission (capability)`calls.write` VersionAvailable since the API’s base version Webhook event`call.created` Rate limitStandard limits apply SourceOfficial documentation ↗
Tasks Methods for working with tasks, the to-dos that drive rep activity.3
GET	`/api/v2/tasks`	List tasks, the to-dos that drive rep activity.	read	`tasks.read`	Current
Read-only. The tasks.all scope also grants read. Acts ontask Permission (capability)`tasks.read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/tasks`	Create a task for a user to action.	write	`tasks.write`	Current
The tasks.write scope does not grant read; use tasks.all for both. Acts ontask Permission (capability)`tasks.write` VersionAvailable since the API’s base version Webhook event`task.created` Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/api/v2/tasks/{id}`	Update a task, for example to complete it.	write	`tasks.write`	Current
Completing a task fires task.completed. Acts ontask Permission (capability)`tasks.write` VersionAvailable since the API’s base version Webhook event`task.completed` Rate limitStandard limits apply SourceOfficial documentation ↗
Templates Methods for working with email templates used in outreach.2
GET	`/api/v2/templates`	List email templates used in outreach.	read	`templates.read`	Current
Read-only. The templates.all scope also grants read. Acts ontemplate Permission (capability)`templates.read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/api/v2/templates`	Create an email template for reuse across outreach.	write	`templates.write`	Current
The templates.write scope does not grant read; use templates.all for both. Acts ontemplate Permission (capability)`templates.write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Users Methods for reading the people in an Outreach instance.2
GET	`/api/v2/users`	List the users in an Outreach instance.	read	`users.read`	Current
Returns names, email addresses, and roles. The users.all scope also grants read. Acts onuser Permission (capability)`users.read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/api/v2/users/{id}`	Retrieve a single user by id.	read	`users.read`	Current
Read-only. Acts onuser Permission (capability)`users.read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Outreach can notify an app when something happens in the platform, like a prospect being created or an email being delivered, opened, or replied to. It posts an event describing the change to a registered HTTPS URL, so an integration learns about activity without polling.

Event	What it signals	Triggered by
`prospect.created`	A new prospect was created.	`/api/v2/prospects`
`prospect.updated`	A prospect's attributes or relationships changed.	`/api/v2/prospects/{id}`
`prospect.destroyed`	A prospect was deleted.	`/api/v2/prospects/{id}`
`account.created`	A new account was created.	`/api/v2/accounts`
`account.updated`	An account's attributes or relationships changed.	`/api/v2/accounts/{id}`
`sequenceState.created`	A prospect was added to a sequence and outreach began.	`/api/v2/sequenceStates`
`sequenceState.finished`	A prospect finished or was removed from a sequence.	`/api/v2/sequenceStates/{id}/actions/finish`
`mailing.created`	A mailing was created and scheduled or sent.	`/api/v2/mailings`
`call.created`	A call was logged against a prospect.	`/api/v2/calls`
`task.created`	A task was created.	`/api/v2/tasks`
`task.completed`	A task was completed.	`/api/v2/tasks/{id}`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Outreach limits how fast an app can call, through an hourly request quota counted per user. Each response reports how much of the quota is left, and going over returns a clear error with a reset time.

Request rate

Outreach meters requests per user, not per method, allowing 10,000 requests per hour for each user a token acts for. Every response carries three headers: X-RateLimit-Limit is the ceiling for the period, X-RateLimit-Remaining is how many requests are left, and X-RateLimit-Reset (also sent as Retry-After) is when the counter resets. Going over returns HTTP 429 with a JSON error. Some endpoints, like the bulk API, apply their own special rules.

Pagination

Lists are cursor-paginated by default: page[size] sets the page size, and the response links object carries first, prev, and next URLs to walk through pages. Adding count=false skips counting the total and improves performance on large lists. An older offset model using page[offset] and page[limit] is deprecated; it caps the offset at 10,000 and the limit at 1,000.

Request size

A request must send the application/vnd.api+json content type or it is rejected with 415. On the deprecated offset model, page[limit] may be at most 1,000 and page[offset] at most 10,000. A response can be trimmed with sparse fieldsets, requesting only named attributes per resource type with the fields parameter.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
401	`Unauthorized`	No valid access token was provided, or the token has expired.	Refresh the access token at the token endpoint, or send the user back through OAuth, then resend.
403	`Forbidden`	The token is valid but its scopes do not cover this request, for example a read-only scope on a write.	Request the resource's write, delete, or all scope and have the user re-authorize.
404	`Not Found`	The requested resource does not exist or is not visible to this token.	Verify the resource id and that the token's user can see it.
415	`Unsupported Media Type`	The request was sent without the application/vnd.api+json content type that the JSON:API requires.	Set the Content-Type header to application/vnd.api+json and resend.
422	`Unprocessable Entity`	The request was well-formed but a validation rule failed, for example a missing required attribute or relationship.	Read the errors array, where each entry carries a title, detail, and a source pointer to the offending field, then fix and resend.
429	`Too Many Requests`	The per-user hourly request quota was exceeded.	Wait until the X-RateLimit-Reset time, then resend. Spread requests to stay under the quota.

Versioning & freshness

Version history.

Outreach runs a single, continuously updated version of its API, and ships dated deprecation notices when a behavior is changing or being removed, with a grace period before it takes effect.

Version history

What changed, and when

Latest versionv2

v2Current version

API version 2 (current)

Outreach runs a single, continuously updated version 2 of its REST API, following the JSON:API 1.0 specification. There is no dated version string to pin; instead, behavior changes are announced as dated deprecation notices with a grace period before they take effect.

What changed

JSON:API 1.0 resources with type, attributes, and relationships.
Cursor-based pagination is the default, with an older offset model kept for compatibility.
OAuth 2.0 with per-resource read, write, delete, and all scopes.

2025-02-12Requires migration

Counting off by default

The API stopped counting the total number of matching resources on a list by default. Applications registered after 13 October 2024 had to opt in, and existing applications were given a grace period until 12 February 2025, after which a query that needs a total must add count=true.

What changed

Collection queries no longer return a total count unless count=true is sent.
count=false is the performant default for paging through large lists.

2024-09-01Requires migration

Audit API deprecated

The original Audit API was deprecated in September 2024 and replaced by a new Audit Log API.

What changed

The legacy Audit API was retired in favor of the Audit Log API.

2023-10-31Requires migration

Relationship filter and sort removed

Three behaviors were deprecated effective 31 October 2023: sorting by relationship attributes, filtering by relationship attributes, and including related objects in create and update responses.

What changed

Sorting by a relationship's attributes is no longer supported.
Filtering by a relationship's attributes is no longer supported.
Create and update responses no longer include related objects.

Track the deprecation notices and move off a removed behavior before its effective date.

Outreach API deprecations ↗

Questions

Outreach API, answered.

How does authentication work?+

Outreach uses the standard OAuth 2.0 authorization-code flow. An integration redirects the user to api.outreach.io/oauth/authorize with the scopes it needs, then exchanges the returned code at api.outreach.io/oauth/token for an access token. The access token lasts 2 hours, and a refresh token, valid 14 days, fetches a new one without sending the user back through sign-in.

How do scopes and permissions work?+

A scope is a period-separated string: a pluralized resource name and an access token of read, write, delete, or all, for example prospects.read or sequenceStates.write. Scopes are not additive, so a token with prospects.write cannot read prospects; prospects.all grants read, write, and delete for that resource. A call whose token lacks the right scope returns a 403.

How do I add a prospect to a sequence?+

Create a sequenceState by POSTing to /api/v2/sequenceStates with relationships to the prospect, the sequence, and the mailbox to send from. Outreach sets the new state to active on the first step and begins the outreach. Calling the finish action on that sequence state removes the prospect from the sequence.

What are the rate limits?+

Outreach allows 10,000 requests per hour per user. Each response includes X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset (also sent as Retry-After), so an integration can pace itself. Exceeding the quota returns HTTP 429 with a JSON error, and some endpoints such as the bulk API have their own special rules.

How does pagination work?+

Lists are cursor-paginated by default. Set page[size] to control the page size and follow the next link in the response's links object to walk through results, adding count=false to skip the total count on large lists for speed. An older offset model with page[offset] and page[limit] is deprecated and caps the offset at 10,000 and the limit at 1,000.

Does Outreach have an MCP server for AI agents?+

Yes. Outreach runs a hosted Model Context Protocol server at api.outreach.io/mcp that exposes Outreach tools to AI agents and MCP clients. It is generally available, authenticates each user with OAuth (the client must support OAuth 2.1 and Dynamic Client Registration), and requires the Amplify add-on on the user's plan.

Why is my request rejected with a 415?+

The API implements JSON:API 1.0 and requires the application/vnd.api+json content type on every request. A request sent without that Content-Type header is rejected with a 415 Unsupported Media Type. Setting the header correctly resolves it.

What is Bollard AI?

Control what every AI agent can do in Outreach.

Bollard AI sits between a team's AI agents and Outreach. Grant each agent exactly the access it needs, read or write, resource by resource, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Outreach token.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Outreach access in Bollard Browse all APIs →

Outreach

Sales Outreach Agent

Read prospects ResourceOffReadFull use

Add to sequence ActionOffReadFull use

Send mailings ActionOffReadFull use

Per-agent access, set in Bollard AI, not in Outreach

How the Outreach API works.

Connection & authentication methods.

REST API

MCP server

Webhooks

OAuth 2.0 (authorization code)

Refresh token

Server-to-server token

What an AI agent can do in Outreach.

Prospects

Accounts

Sequences

Sequence states

Mailings

Calls

Tasks

Templates

Users

Every Outreach API method.

Prospects

Accounts

Sequences

Sequence states

Mailings

Calls

Tasks

Templates

Users

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Outreach API, answered.

More sales API guides for agents

Gong

Salesloft

Apollo

1Password

Control what every AI agent can do in Outreach.