Data model
Cards
A work item on a board. Carries a status (1:1 with a board column), position for in-column ordering, plus priority, tags, assignee, and due_date. data.board_id must reference an owned board (or be blank for unsorted cards).
card200Fields
Per-field validation rules. Values that violate any constraint are rejected with 400 before they reach the database.
| Field | Type | Constraints |
|---|---|---|
| tags | tags | - |
| title | string | max length 200 |
| status | string | max length 64 |
| assignee | string | max length 64 |
| board_id | string | max length 64ref →boardownedopt |
| due_date | string | max length 32 |
| position | number | - |
| priority | enum | enum low | medium | high | critical |
| description | string | max length 4000 |
Mutability
Which fields can you send, and when? Anything without a marker is server-managed - sending it isn't an error, it's silently ignored.
| Field | Create | Patch |
|---|---|---|
| tags | ||
| title | ||
| status | ||
| assignee | ||
| board_id | ||
| due_date | ||
| position | ||
| priority | ||
| description |
Fields marked create-only but not patchable are immutable after creation. Server-managed fields include id, timestamps, ownership, and status.
Filtering & sorting
Combinable on list endpoints. Repeating a filter key produces an IN clause; prefixing a sort key with - reverses direction. Example: ?status=open&status=blocked&sort=-created_at.
Filter keys
data__statusdata__prioritydata__tagsdata__assigneedata__board_idstatusis_archivedowned_bySort keys
created_atupdated_atdata__positiondata__statusdata__prioritydata__due_dateDefault: position
Endpoints
Each endpoint below lists its HTTP method, path, and the PAT scope it needs. Code samples cover curl, JavaScript, TypeScript, Python, Rust, Java, and WebSocket.
/xapi2/data/cardcard:listList objects
Returns a paginated list of objects you can read. Default page size is 20; pass ?limit= to change (capped per type). Use ?after=<id> for keyset pagination on created_at-sorted lists, or ?offset= for offset paging.
curl -H "Authorization: Bearer pat_…" \"https://qtssystem.com/xapi2/data/card?limit=20"
/xapi2/data/card/{id}card:readRead one
Returns the object by id. 404 if it does not exist or you cannot read it (the two cases are intentionally conflated).
curl -H "Authorization: Bearer pat_…" \https://qtssystem.com/xapi2/data/card/OBJECT_ID
/xapi2/data/cardcard:createCreate
Creates a new object. Body is a flat JSON dict of field values. Server-side fields (id, timestamps, ownership) are filled automatically; only fields listed below as creatable are read from the body.
curl -H "Authorization: Bearer pat_…" \-H "Content-Type: application/json" \-X POST https://qtssystem.com/xapi2/data/card \-d '{"name": "…"}'
/xapi2/data/card/{id}card:updateUpdate
Partial update. Only fields included in the body are touched; everything else is preserved. Same allow-list as create, minus the fields that are immutable post-create.
curl -H "Authorization: Bearer pat_…" \-H "Content-Type: application/json" \-X PATCH https://qtssystem.com/xapi2/data/card/OBJECT_ID \-d '{"name": "…"}'
/xapi2/data/card/{id}card:deleteDelete
Removes the object. It vanishes from every default list immediately and stops being returned by read / list.
curl -H "Authorization: Bearer pat_…" \-X DELETE https://qtssystem.com/xapi2/data/card/OBJECT_ID
Use in CLI
The same endpoints are also exposed via the Production Board CLI. For scripts, CI, and bulk imports it's usually the faster path.
prodcli card list --limit 5prodcli card get <id>prodcli card create --title "Hello"prodcli card upsert --unique title --csv items.csvprodcli card schema # fields & limits
Full command reference, profiles, CSV import, auto-retry, NDJSON streaming → /docs/cli