Authentication
Authenticate REST requests with a Bearer personal access token and the blue-org-id header.
The Blue REST API authenticates every request with a personal access token (PAT) sent as a Bearer token, plus a blue-org-id header that scopes the request to one organization. These are the same tokens the GraphQL API and the MCP server use - a token belongs to a user and inherits that user’s permissions.
Authenticate a request
Send two headers on every request:
curl https://rest.blue.app/v1/list-workspaces \
-X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_PERSONAL_ACCESS_TOKEN" \
-H "blue-org-id: YOUR_ORG_ID" \
-d '{}'| Header | Required | Description |
|---|---|---|
Authorization | Yes | Bearer <token> - your personal access token. |
blue-org-id | Yes | The organization to act in. Scopes the request to that org’s data. |
Content-Type | For writes | application/json on any request that carries a JSON body. |
Header names are case-insensitive. The blue-org-id value is the organization’s ID.
blue-org-id was previously named x-bloo-company-id (and the GraphQL API’s X-Bloo-Company-ID). Both legacy names are still accepted, so existing integrations keep working without changes. Use blue-org-id for anything new.
Create a token
Tokens are created in Blue’s settings, not via the API.
- Open Blue and click your profile avatar in the top-right corner.
- Choose API from the profile menu.
- Click Generate a Token.
- Give the token a name, and optionally set an expiration date.
- Click create. Blue shows you the token once.
Blue stores the token as a hash, so it cannot be retrieved after creation - not even by Blue’s team. Copy it somewhere safe the moment it’s shown. If you lose it, delete the token and create a new one. Anyone with the token can act as you in Blue, so treat it like a password and never commit it to source control.
The same token works across the REST API, the GraphQL API, and the MCP server - there’s no separate REST credential to manage.
Find your organization ID
The blue-org-id value names the organization (a Company in the API) the request acts in. Every request must carry it - it’s how Blue knows which org’s records, workspaces, and settings you’re reaching for. You can find it in the app, or list the organizations a token can reach and read their IDs from the response.
Authentication errors
The API returns a JSON { "error": ... } body with one of these statuses when a request can’t be authenticated or authorized:
| Status | Code | When |
|---|---|---|
400 | Bad Request | The blue-org-id header (or a legacy alias) is missing from the request. |
401 | Unauthorized | The token is missing, malformed, expired, or doesn’t match a real token. |
403 | Forbidden | The token is valid but the user has no access to the organization named in the header. |
A missing or bad Bearer token returns 401:
{
"error": "Unauthorized"
}A valid token whose user can’t reach the requested organization returns 403:
{
"error": "User does not have access to this company"
}The distinction matters: 401 means “we don’t know who you are” - check the token. 403 means “we know who you are, but you can’t act here” - check that the user is a member of the organization you passed in blue-org-id. See Errors & Rate Limits for the full status table.