Introduction

Build custom integrations using our API

Our beta API is currently available in early access. We'll be releasing further endpoints in an upcoming release.

Authentication

All API endpoints are authenticated using Bearer tokens. Include your API key in the Authorization header of every request:

Authorization: Bearer YOUR_API_KEY

API Key Types

Buildstash supports two types of API keys, each designed for different use cases:

Workspace API Keys provide access across your entire workspace. Use these for admin tooling, dashboards, or integrations that need to operate across multiple applications.

Application API Keys are scoped to a single application. Use these for CI/CD pipelines, build automation, and any integration that only needs to interact with one specific application. Application keys cannot access other applications in the workspace.

Scopes

Each API key is assigned scopes that control which resources it can access and what actions it can perform. Scopes follow a resource:level pattern (e.g. builds:read, releases:write).

See the Scopes reference for a full breakdown of available scopes and their access levels.

Base URL

All API requests should be made to:

https://app.buildstash.com/api/v1

Rate Limiting

API requests are rate-limited. Download endpoints have stricter limits (30 requests per minute per application, 60 per minute per workspace). When rate-limited, the API returns a 429 Too Many Requests response.

Errors

The API returns standard HTTP status codes. Error responses include a message field with details:

StatusMeaning
400Bad request — invalid parameters or business rule violation
401Unauthorized — missing or invalid API key
403Forbidden — insufficient scope or access denied
404Not found — resource does not exist or is not accessible
415Unsupported media type — Content-Type must be application/json for POST/PUT requests
422Validation error — request body failed validation
429Rate limited — too many requests
500Internal server error

Guides