megaphone icon Mattermost v10.0 is now available! Learn what’s new »
Edit on GitHub

Mattermost API

Overview
Endpoints
users
bots
teams
channels
posts
files
uploads
bookmarks
preferences
status
emoji
reactions
webhooks
commands
system
brand
OAuth
SAML
LDAP
groups
compliance
cluster
elasticsearch
data retention
jobs
plugins
roles
schemes
integration_actions
shared channels
terms of service
imports
exports
metrics
audit_logs
Playbooks
PlaybookRuns
Internal
Timeline
PlaybookAutofollows
migrate
authentication
threads
search
root
bleve
remote clusters
cloud
usage
permissions
ip
filtering
reports
logs
outgoing_connections
outgoing_oauth_connections
scheduled_post
custom profile attributes
Schemas
User
UsersStats
KnownUsers
Team
TeamStats
TeamExists
Channel
ChannelStats
ChannelMember
ChannelMemberWithTeamData
ChannelData
ChannelWithTeamData
ChannelListWithTeamData
ChannelBookmark
ChannelBookmarkWithFileInfo
UpdateChannelBookmarkResponse
Post
PropertyField
PropertyFieldPatch
PropertyValue
FileInfoList
PostList
PostListWithSearchMatches
PostMetadata
TeamMap
TeamMember
TeamUnread
ChannelUnread
ChannelUnreadAt
Session
FileInfo
Preference
UserAuthData
UserAutocomplete
UserAutocompleteInTeam
UserAutocompleteInChannel
IncomingWebhook
OutgoingWebhook
Reaction
NewTeamMember
NewTeamMembersList
Emoji
Command
AutocompleteSuggestion
CommandResponse
SlackAttachment
SlackAttachmentField
StatusOK
OpenGraph
Audit
Config
EnvironmentConfig
SamlCertificateStatus
Compliance
ClusterInfo
AppError
Status
OAuthApp
Job
UserAccessToken
UserAccessTokenSanitized
GlobalDataRetentionPolicy
DataRetentionPolicyWithoutId
DataRetentionPolicy
DataRetentionPolicyWithTeamAndChannelCounts
DataRetentionPolicyWithTeamAndChannelIds
DataRetentionPolicyCreate
DataRetentionPolicyForTeam
RetentionPolicyForTeamList
DataRetentionPolicyForChannel
RetentionPolicyForChannelList
UserNotifyProps
Timezone
ChannelNotifyProps
PluginManifest
MarketplacePlugin
PushNotification
PluginStatus
PluginManifestWebapp
Role
Scheme
TermsOfService
UserTermsOfService
PostIdToReactionsMap
Product
AddOn
ProductLimits
BoardsLimits
FilesLimits
IntegrationsLimits
MessagesLimits
TeamsLimits
PaymentSetupIntent
PaymentMethod
Address
CloudCustomer
Subscription
SubscriptionStats
Invoice
InvoiceLineItem
Group
GroupMember
GroupSyncableTeam
GroupSyncableChannel
GroupSyncableTeams
GroupSyncableChannels
ChannelModeration
ChannelModeratedRoles
ChannelModeratedRole
ChannelModeratedRolesPatch
ChannelModerationPatch
ChannelMemberCountByGroup
LDAPGroupsPaged
LDAPGroup
SidebarCategory
SidebarCategoryWithChannels
OrderedSidebarCategories
Bot
Server_Busy
GroupWithSchemeAdmin
GroupsAssociatedToChannels
OrphanedRecord
UserThread
RelationalIntegrityCheckData
IntegrityCheckResult
UploadSession
Notice
SharedChannel
RemoteCluster
RemoteClusterInfo
SharedChannelRemote
SystemStatusResponse
UserThreads
System
PostsUsage
StorageUsage
PostAcknowledgement
AllowedIPRange
UserReport
Installation
ServerLimits
OutgoingOAuthConnectionGetItem
OutgoingOAuthConnectionPostItem
ScheduledPost
PlaybookRun
PlaybookRunMetadata
PlaybookRunList
PlaybookAutofollows
OwnerInfo
TriggerIdReturn
Playbook
PlaybookList
Checklist
ChecklistItem
Error
WebhookOnCreationPayload
WebhookOnStatusUpdatePayload
powered by Stoplight

Mattermost API

v4.0.0
API Base URL
Live Server:{your-mattermost-url}
your-mattermost-url
string
Default:
http://localhost:8065
Security
Bearer Auth

Provide your bearer token in the Authorization header when making requests to protected resources.

Example: Authorization: Bearer 123

The Mattermost Web Services API enables Mattermost clients and third-party applications to interact with Mattermost servers.

Official JavaScript and Golang drivers are available to simplify API integration.

By using this API, you agree to our terms of service.

Find out more about Mattermost

Contents

Core Concepts

Drivers

Community

Schema & Conventions

  • All API access is through HTTP(S) requests at your-mattermost-url/api/v4.

  • All request and response bodies are application/json.

  • When using endpoints that require a user id, the string me can be used in place of the user id to indicate the action is to be taken for the logged in user.

  • For all endpoints that implement pagination via the per_page parameter:

    • Maximum items per page: 200 (requests exceeding this will be silently truncated)

    • Default value if a paged API requires a per_page parameter and it is not provided: 60

Authentication

There are multiple ways to authenticate against the Mattermost API.

All examples assume there is a Mattermost instance running at http://localhost:8065.

Session Token

Make an HTTP POST to your-mattermost-url/api/v4/users/login with a JSON body indicating the user's login_id, password and optionally the MFA token. The login_id can be an email, username or an AD/LDAP ID depending on the system's configuration.

curl -i -d '{"login_id":"someone@nowhere.com","password":"thisisabadpassword"}' http://localhost:8065/api/v4/users/login

NOTE: If you're running cURL on windows, you will have to change the single quotes to double quotes, and escape the inner double quotes with backslash, like below:

curl -i -d "{\"login_id\":\"someone@nowhere.com\",\"password\":\"thisisabadpassword\"}" http://localhost:8065/api/v4/users/login

If successful, the response will contain a Token header and a user object in the body.

HTTP/1.1 200 OK
Content-Type: application/json
Permissions-Policy:
Referrer-Policy: no-referrer
Token: ckh3t4knu3fzujt76o57f5jo4w
Vary: Origin
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Request-Id: bk3uzm335jr9tnoh4mcsybmmjr
X-Version-Id: 10.6.0.13685270376.215f100adf6ccda09afcaaa84ac4bfbd.true
Date: Fri, 28 Mar 2025 09:33:22 GMT
Content-Length: 796


{{user object as json}}

Include the Token as part of the Authorization header on your future API requests with the Bearer method.

curl -i -H 'Authorization: Bearer ckh3t4knu3fzujt76o57f5jo4w' http://localhost:8065/api/v4/users/me

Alternatively, include the Token as your MMAUTHTOKEN cookie value on you future API requests:

curl -i -H 'Cookie: MMAUTHTOKEN=ckh3t4knu3fzujt76o57f5jo4w' http://localhost:8065/api/v4/users/me

You should now be able to access the API as the user you logged in as.

Personal Access Tokens

Using personal access tokens is very similar to using a session token. The only real difference is that session tokens will expire, while personal access tokens will live until they are manually revoked by the user or an admin.

Just like session tokens, include the personal access token as part of the Authorization header in your requests using the Bearer method. Assuming our personal access token is 9xuqwrwgstrb3mzrxb83nb357a, we could use it as shown below.

curl -i -H 'Authorization: Bearer 9xuqwrwgstrb3mzrxb83nb357a' http://localhost:8065/api/v4/users/me

Rate Limiting

Whenever you make an HTTP request to the Mattermost API you might notice the following headers included in the response:

X-Ratelimit-Limit: 10
X-Ratelimit-Remaining: 9
X-Ratelimit-Reset: 1441983590

These headers are telling you your current rate limit status.

HeaderDescription
X-Ratelimit-LimitThe maximum number of requests you can make per second.
X-Ratelimit-RemainingThe number of requests remaining in the current window.
X-Ratelimit-ResetThe remaining UTC epoch seconds before the rate limit resets.

If you exceed your rate limit for a window you will receive the following error in the body of the response:

HTTP/1.1 429 Too Many Requests
Date: Tue, 10 Sep 2015 11:20:28 GMT
X-RateLimit-Limit: 10
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1


limit exceeded

Error Handling

All errors will return an appropriate HTTP response code along with the following JSON body:

{
    "id": "the.error.id",
    "message": "Something went wrong", // the reason for the error
    "request_id": "", // the ID of the request
    "status_code": 0, // the HTTP status code
    "is_oauth": false // whether the error is OAuth specific
}

WebSocket

In addition to the HTTP RESTful web service, Mattermost also offers a WebSocket event delivery system and some API functionality.

To connect to the WebSocket follow the standard opening handshake as defined by the RFC specification to the /api/v4/websocket endpoint of Mattermost.

Authentication

The Mattermost WebSocket can be authenticated using the standard API authentication methods (by a cookie or with an explicit Authorization header) or through an authentication challenge. If you're authenticating from a browser and have logged in with the Mattermost API, your authentication cookie should already be set. This is how the Mattermost webapp authenticates with the WebSocket.

To authenticate with an authentication challenge, first connect the WebSocket and then send the following JSON over the connection:

{
  "seq": 1,
  "action": "authentication_challenge",
  "data": {
    "token": "mattermosttokengoeshere"
  }
}

If successful, you will receive a standard OK response over the WebSocket connection:

{
  "status": "OK",
  "seq_reply": 1
}

Once successfully authenticated, the server will pass a hello WebSocket event containing server version over the connection.

Websocket Events

WebSocket events are primarily used to alert the client to changes in Mattermost, such as delivering new posts or alerting the client that another user is typing in a channel.

Events on the WebSocket will have the form:

{
  "event": "hello",
  "data": {
    "server_version": "3.6.0.1451.1c38da627ebb4e3635677db6939e9195"
  },
  "broadcast":{
    "omit_users": null,
    "user_id": "ay5sq51sebfh58ktrce5ijtcwy",
    "channel_id": "",
    "team_id": ""
  },
  "seq": 0
}

The event field indicates the event type, data contains any data relevant to the event and broadcast contains information about who the event was sent to. For example, the above example has user_id set to "ay5sq51sebfh58ktrce5ijtcwy" meaning that only the user with that ID received this event broadcast. The omit_users field can contain an array of user IDs that were specifically omitted from receiving the event.

The list of Mattermost WebSocket events are:

  • added_to_team
  • authentication_challenge
  • channel_converted
  • channel_created
  • channel_deleted
  • channel_member_updated
  • channel_updated
  • channel_viewed
  • config_changed
  • delete_team
  • direct_added
  • emoji_added
  • ephemeral_message
  • group_added
  • hello
  • leave_team
  • license_changed
  • memberrole_updated
  • new_user
  • plugin_disabled
  • plugin_enabled
  • plugin_statuses_changed
  • post_deleted
  • post_edited
  • post_unread
  • posted
  • preference_changed
  • preferences_changed
  • preferences_deleted
  • reaction_added
  • reaction_removed
  • response
  • role_updated
  • status_change
  • typing
  • update_team
  • user_added
  • user_removed
  • user_role_updated
  • user_updated
  • dialog_opened
  • thread_updated
  • thread_follow_changed
  • thread_read_changed

Websocket API

Mattermost has some basic support for WebSocket APIs. A connected WebSocket can make requests by sending the following over the connection:

{
  "action": "user_typing",
  "seq": 2,
  "data": {
    "channel_id": "nhze199c4j87ped4wannrjdt9c",
    "parent_id": ""
  }
}

This is an example of making a user_typing request, with the purpose of alerting the server that the connected client has begun typing in a channel or thread. The action field indicates what is being requested, and performs a similar duty as the route in a HTTP API. The data field is used to add any additional data along with the request. The server supports binary websocket messages as well in case the client has such a requirement.

The seq or sequence number is set by the client and should be incremented with every use. It is used to distinguish responses to requests that come down the WebSocket. For example, a standard response to the above request would be:

{
  "status": "OK",
  "seq_reply": 2
}

Notice seq_reply is 2, matching the seq of the original request. Using this a client can distinguish which request the response is meant for.

If there was any information to respond with, it would be encapsulated in a data field.

In the case of an error, the response would be:

{
  "status": "FAIL",
  "seq_reply": 2,
  "error": {
    "id": "some.error.id.here",
    "message": "Some error message here"
  }
}

The list of WebSocket API actions is:

  • user_typing
  • get_statuses
  • get_statuses_by_ids

To see how these actions work, please refer to either the Golang WebSocket driver or our JavaScript WebSocket driver.

Drivers

The easiest way to interact with the Mattermost Web Service API is through a language specific driver.

Official Drivers

Community-built Drivers

For community-built drivers and API wrappers, see our app directory.

Support

Mattermost core committers work with the community to keep the API documentation up-to-date. If you have questions on API routes not listed in this reference, you can:

Bug reports in the documentation or the API are also welcome, as are pull requests to fix the issues.

Contributing

When you have answers to API questions not addressed in our documentation we ask you to consider making a pull request to improve our reference. Small and large changes are all welcome.

We also have Help Wanted tickets available for community members who would like to help others more easily use the APIs. We acknowledge everyone's contribution in the release notes of our next version.

The source code for this API reference is hosted at https://github.com/mattermost/mattermost/tree/master/api.

Did you find what you were looking for?

😀

Yes

 😐

Mostly

 🙁

No!
Thank you! We appreciate your feedback.
×

Tell us more

Your feedback helps us improve the Mattermost developer documentation.

0/186

Have a feature request? Share it here.

Having issues? Join our Community server.

Submit