miro-pack
Claude Code skill pack for Miro (24 skills)
24
Skills
MIT
License
Free
Pricing
Installation
Open Claude Code and run this command:
/plugin install miro-pack@claude-code-plugins-plus
Use --global to install for all projects, or --project for current project only.
Skills (24)
Configure CI/CD pipelines for Miro REST API v2 integrations with GitHub Actions, test board isolation, and automated validation.
ReadWriteEditBash(gh:*)
Miro CI Integration
Overview
Set up CI/CD pipelines for Miro REST API v2 integrations with isolated test boards, proper secret handling, and API validation in GitHub Actions.
Prerequisites
- GitHub repository with Actions enabled
- Miro app with test credentials (separate from production)
- A dedicated test board ID for integration tests
GitHub Actions Workflow
# .github/workflows/miro-integration.yml
name: Miro Integration Tests
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
unit-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- run: npm ci
- run: npm test -- --coverage
- name: Upload coverage
if: always()
uses: actions/upload-artifact@v4
with:
name: coverage
path: coverage/
integration-tests:
runs-on: ubuntu-latest
needs: unit-tests
# Only run on main branch or when explicitly requested
if: github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'run-integration')
env:
MIRO_ACCESS_TOKEN: ${{ secrets.MIRO_ACCESS_TOKEN_TEST }}
MIRO_TEST_BOARD_ID: ${{ secrets.MIRO_TEST_BOARD_ID }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- run: npm ci
- name: Verify Miro API connectivity
run: |
STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: Bearer $MIRO_ACCESS_TOKEN" \
"https://api.miro.com/v2/boards?limit=1")
if [ "$STATUS" != "200" ]; then
echo "::error::Miro API returned $STATUS — check MIRO_ACCESS_TOKEN_TEST secret"
exit 1
fi
echo "Miro API connectivity verified (HTTP $STATUS)"
- name: Run integration tests
run: npm run test:integration
timeout-minutes: 5
- name: Cleanup test board items
if: always()
run: |
# Delete items created during test run
curl -s "https://api.miro.com/v2/boards/$MIRO_TEST_BOARD_ID/items?limit=50" \
-H "Authorization: Bearer $MIRO_ACCESS_TOKEN" | \
jq -r '.data[].id' | \
while read -r ITEM_ID; do
curl -s -X DELETE \
"https://api.miro.com/v2/boards/$MIRO_TEST_BOARD_ID/items/$ITEM_ID" \
-H "Authorization: Bearer $MIRO_ACCESS_TOKEN"
done
echo "Test board cleaned"
Configuring Secrets
# Store test credentials as GitHub secrets
gh sDiagnose and fix Miro REST API v2 errors by HTTP status code.
ReadGrepBash(curl:*)
Miro Common Errors
Overview
Quick reference for Miro REST API v2 errors organized by HTTP status code, with real error response bodies and proven fixes.
Prerequisites
- Access token configured
curlavailable for diagnostic requests
Quick Diagnostic
# 1. Verify API connectivity
curl -s -o /dev/null -w "%{http_code}" https://api.miro.com/v2/boards \
-H "Authorization: Bearer $MIRO_ACCESS_TOKEN"
# 2. Check token validity
curl -s https://api.miro.com/v1/oauth-token \
-H "Authorization: Bearer $MIRO_ACCESS_TOKEN" | jq
# 3. Check Miro status page
curl -s https://status.miro.com/api/v2/status.json | jq '.status.description'
Error Reference
400 — Bad Request
{
"status": 400,
"code": "invalidInput",
"message": "Could not resolve the value for parameter: data.content",
"context": { "fields": [{ "field": "data.content", "message": "Required" }] }
}
Common causes:
- Missing required fields in request body
- Wrong data types (string instead of number for position)
- Invalid enum values (e.g.,
shape: 'oval'— correct isshape: 'circle')
Fix: Cross-reference your request body with the REST API reference. Each item type has specific required fields.
Sticky note required fields: data.content, data.shape (square or rectangle)
Shape required fields: data.shape (see miro-sdk-patterns for valid shapes)
Connector required fields: startItem.id, endItem.id
401 — Unauthorized
{
"status": 401,
"code": "tokenNotProvided",
"message": "Access token is not provided"
}
{
"status": 401,
"code": "tokenExpired",
"message": "Access token has expired"
}
Common causes:
- Missing
Authorization: Bearerheader - Access token expired (tokens last 3599 seconds / ~1 hour)
- Using clientid/clientsecret instead of access_token
Fix:
# Check if token is set
echo "Token length: ${#MIRO_ACCESS_TOKEN}"
# Refresh expired token
curl -X POST https://api.miro.com/v1/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d &quoManage Miro boards and items — create, read, update, delete boards, sticky notes, shapes, cards, frames, and tags via REST API v2.
ReadWriteEditBash(npm:*)Bash(curl:*)Grep
Miro Core Workflow A — Boards & Items CRUD
Overview
The primary workflow for Miro integrations: full CRUD on boards and board items (sticky notes, shapes, cards, frames, tags) using the REST API v2 at https://api.miro.com/v2/.
Prerequisites
- Valid access token with
boards:readandboards:writescopes - Understanding of Miro item types (see
miro-hello-world)
Board Operations
Create a Board
// POST https://api.miro.com/v2/boards
const board = await miroFetch('/v2/boards', 'POST', {
name: 'Sprint Retro — Week 12',
description: 'Team retrospective board',
teamId: 'your-team-id', // optional — creates in specific team
policy: {
sharingPolicy: {
access: 'private',
inviteToAccountAndBoardLinkAccess: 'no_access',
organizationAccess: 'private',
},
permissionsPolicy: {
collaborationToolsStartAccess: 'all_editors',
copyAccess: 'anyone',
sharingAccess: 'team_members_and_collaborators',
},
},
});
Get a Board
// GET https://api.miro.com/v2/boards/{board_id}
const board = await miroFetch(`/v2/boards/${boardId}`);
// Returns: id, name, description, owner, policy, createdAt, modifiedAt
List All Boards
// GET https://api.miro.com/v2/boards
// Supports filtering by team_id, project_id, query, sort, owner
const boards = await miroFetch('/v2/boards?limit=50&sort=last_modified');
for (const board of boards.data) {
console.log(`${board.id}: ${board.name} (modified: ${board.modifiedAt})`);
}
Update a Board
// PATCH https://api.miro.com/v2/boards/{board_id}
await miroFetch(`/v2/boards/${boardId}`, 'PATCH', {
name: 'Sprint Retro — Week 12 (CLOSED)',
description: 'Archived — action items in Jira',
});
Delete a Board
// DELETE https://api.miro.com/v2/boards/{board_id}
await miroFetch(`/v2/boards/${boardId}`, 'DELETE');
Item CRUD Operations
Create Items
// Sticky Note — POST /v2/boards/{board_id}/sticky_notes
const note = await miroFetch(`/v2/boards/${boardId}/sticky_notes`, 'POST', {
data: { content: 'Went well: team communication', shape: 'square' },
style: { fillColor: 'light_green', textAlign: 'center' },
position: { x: -200, y: 0 },
geometry: { width: 199 },
});
// Shape — POST /v2/boards/{board_id}/shapes
const shape = await miroFetch(`/v2/boards/${boardId}/shapes`, 'POST', {
data: { content: 'Decision Point', shape: 'rhombus' },
style: { fiManage Miro connectors, images, embeds, app cards, and document items via REST API v2.
ReadWriteEditBash(npm:*)Bash(curl:*)Grep
Miro Core Workflow B — Connectors, Embeds & Rich Items
Overview
Advanced item operations: connectors between items, image uploads, embedded content, app cards for custom integrations, and document items — all via the Miro REST API v2.
Prerequisites
- Completed
miro-core-workflow-a(boards and basic items) - Access token with
boards:readandboards:writescopes
Connectors
Connectors are lines that visually link two items on a board. They replaced "lines" from the v1 API.
Create a Connector
// POST https://api.miro.com/v2/boards/{board_id}/connectors
const connector = await miroFetch(`/v2/boards/${boardId}/connectors`, 'POST', {
startItem: {
id: startItemId,
position: {
x: 1.0, // 0.0–1.0 relative position on item boundary
y: 0.5, // 0.0 = top/left, 1.0 = bottom/right
},
// or use snapTo: 'right' | 'left' | 'top' | 'bottom' | 'auto'
},
endItem: {
id: endItemId,
snapTo: 'left',
},
captions: [
{
content: 'depends on',
position: 0.5, // 0.0–1.0 along the connector line
textAlignVertical: 'top', // 'top' | 'middle' | 'bottom'
},
],
shape: 'curved', // 'straight' | 'elbowed' | 'curved'
style: {
color: '#1a1a2e',
fontSize: 12,
strokeColor: '#1a1a2e',
strokeWidth: 2,
strokeStyle: 'normal', // 'normal' | 'dashed' | 'dotted'
startStrokeCap: 'none', // 'none' | 'stealth' | 'diamond' | 'filled_diamond' | etc.
endStrokeCap: 'stealth', // arrow-style endpoint
},
});
console.log(`Connector ${connector.id}: ${startItemId} → ${endItemId}`);
List All Connectors on a Board
// GET https://api.miro.com/v2/boards/{board_id}/connectors
const connectors = await miroFetch(`/v2/boards/${boardId}/connectors?limit=50`);
for (const c of connectors.data) {
console.log(`${c.startItem.id} --[${c.captions?.[0]?.content ?? ''}]--> ${c.endItem.id}`);
}
Update a Connector
// PATCH https://api.miro.com/v2/boards/{board_id}/connectors/{connector_id}
await miroFetch(`/v2/boards/${boardId}/connectors/${connectorId}`, 'PATCH', {
captions: [{ content: 'blocks', position: 0.5 }],
style: { strokeColor: '#ff0000', endStrokeCap: 'filled_triangle' },
});
Delete a Connector
// DELETE https://api.miro.com/v2/boards/{board_id}/connectors/{connector_id}
await miroFetch(`/v2/boards/${boardId}/connectors/${connectorId}`, 'DELETE');
Optimize Miro API costs through credit monitoring, request reduction, and plan selection based on the credit-based rate limiting model.
ReadGrep
Miro Cost Tuning
Overview
Miro's API pricing is based on your plan tier (Free, Business, Enterprise), not per-API-call billing. However, the credit-based rate limiting system (100,000 credits/minute) effectively caps throughput. Cost optimization means minimizing API calls to stay within your plan's rate limits and reduce the need for higher-tier upgrades.
Miro Plan Comparison
| Feature | Free | Business | Enterprise |
|---|---|---|---|
| Price | $0/user | $12-20/user/mo | Custom |
| Boards | 3 editable | Unlimited | Unlimited |
| API access | Yes | Yes | Yes |
| Rate limit | 100K credits/min | 100K credits/min | Higher (negotiable) |
| OAuth scopes | All standard | All standard | All + enterprise scopes |
| SCIM provisioning | No | No | Yes |
| Audit logs API | No | No | Yes |
| SSO/SAML | No | No | Yes |
Credit Usage Tracking
class MiroUsageTracker {
private minuteCredits = 0;
private dailyRequests = 0;
private minuteStart = Date.now();
private dailyStart = Date.now();
trackRequest(response: Response): void {
// Reset minute window
if (Date.now() - this.minuteStart > 60_000) {
this.minuteCredits = 0;
this.minuteStart = Date.now();
}
// Reset daily window
if (Date.now() - this.dailyStart > 86_400_000) {
this.dailyRequests = 0;
this.dailyStart = Date.now();
}
const limit = parseInt(response.headers.get('X-RateLimit-Limit') ?? '100000');
const remaining = parseInt(response.headers.get('X-RateLimit-Remaining') ?? '100000');
this.minuteCredits = limit - remaining;
this.dailyRequests++;
}
getReport(): UsageReport {
return {
currentMinuteCredits: this.minuteCredits,
creditUtilizationPercent: Math.round((this.minuteCredits / 100000) * 100),
dailyRequests: this.dailyRequests,
projectedMonthlyRequests: this.dailyRequests * 30,
recommendation: this.getRecommendation(),
};
}
private getRecommendation(): string {
if (this.minuteCredits > 80000) {
return 'CRITICAL: >80% credit usage. Reduce request rate or upgrade to Enterprise.';
}
if (this.minuteCredits > 50000) {
return 'WARNING: >50% credit usage. Consider caching and batching.';
}
return 'Healthy credit usage.';
}
}
Cost Reduction Strategies
Strategy 1: Reduce Read Requests with Caching
The biggest cost saver. Most Miro board reads return data that changes infrequently.
Implement Miro REST API v2 data handling with PII detection in board content, data export via API, retention policies, and GDPR/CCPA compliance patterns.
ReadWriteEdit
Miro Data Handling
Overview
Handle sensitive data correctly when integrating with Miro REST API v2. Miro boards can contain PII in sticky notes, cards, and text items. This skill covers detecting PII in board content, exporting board data for DSAR requests, implementing retention policies, and ensuring GDPR/CCPA compliance.
Data Classification for Miro Content
Category
Examples in Miro
Handling
PII
Emails/names in sticky notes, assignee info in cards
Detect, redact in logs, export on DSAR request
Sensitive
OAuth tokens, API keys in text items
Never cache, alert on detection
Business
Board names, project plans, diagrams
Standard handling, respect board sharing policy
Public
Template content, product names
No special handling needed
PII Detection in Board Items
Scan board content for personally identifiable information:
const PII_PATTERNS = [
{ type: 'email', regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g },
{ type: 'phone', regex: /\b\d{3}[-.]?\d{3}[-.]?\d{4}\b/g },
{ type: 'ssn', regex: /\b\d{3}-\d{2}-\d{4}\b/g },
{ type: 'credit_card', regex: /\b\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b/g },
{ type: 'ip_address', regex: /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g },
];
interface PiiFindings {
boardId: string;
itemId: string;
itemType: string;
findings: Array<{ type: string; field: string; count: number }>;
}
async function scanBoardForPii(boardId: string): Promise<PiiFindings[]> {
const results: PiiFindings[] = [];
// Fetch all text-containing items
const itemTypes = ['sticky_note', 'card', 'text', 'shape'];
for (const type of itemTypes) {
const items = await fetchAllItems(boardId, type);
for (const item of items) {
const contentFields = extractTextContent(item);
const findings: PiiFindings['findings'] = [];
for (const [field, text] of Object.entries(contentFields)) {
if (!text) continue;
for (const pattern of PII_PATTERNS) {
const matches = text.match(pattern.regex);
if (matches) {
findings.push({ type: pattern.type, field, count: matches.length });
}
}
}
if (findings.length > 0) {
results.push({ boardId, itemId: item.id, itemType: item.type, findings });
}
}
}
return results;
}
function extractTextContent(item: any): Record<string, string> {
switch (item.type) {
case 'sticky_note': return { content: item.data?.content };
case 'card': return { title: item.data?.title, description: item.data?.description };
case 'text': return { cont
Collect Miro REST API v2 diagnostic evidence for support tickets.
ReadBash(curl:*)Bash(tar:*)Bash(jq:*)Grep
Miro Debug Bundle
Overview
Collect all diagnostic information needed to troubleshoot Miro REST API v2 integration issues and file effective support tickets.
Prerequisites
- Access token (even expired ones are useful for diagnostics)
curlandjqavailable- Application logs accessible
Instructions
Step 1: Create the Debug Bundle Script
#!/bin/bash
# miro-debug-bundle.sh — Collect Miro API diagnostics
set -euo pipefail
BUNDLE_DIR="miro-debug-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$BUNDLE_DIR"
echo "=== Miro Debug Bundle ===" | tee "$BUNDLE_DIR/summary.txt"
echo "Generated: $(date -u +%Y-%m-%dT%H:%M:%SZ)" | tee -a "$BUNDLE_DIR/summary.txt"
echo "" >> "$BUNDLE_DIR/summary.txt"
Step 2: Collect Environment Info
# Runtime environment
echo "--- Environment ---" >> "$BUNDLE_DIR/summary.txt"
echo "Node.js: $(node --version 2>/dev/null || echo 'not installed')" >> "$BUNDLE_DIR/summary.txt"
echo "npm: $(npm --version 2>/dev/null || echo 'not installed')" >> "$BUNDLE_DIR/summary.txt"
echo "OS: $(uname -srm)" >> "$BUNDLE_DIR/summary.txt"
# SDK version
echo "--- SDK Version ---" >> "$BUNDLE_DIR/summary.txt"
npm list @mirohq/miro-api 2>/dev/null >> "$BUNDLE_DIR/summary.txt" || echo "@mirohq/miro-api: not found" >> "$BUNDLE_DIR/summary.txt"
# Token presence (never log the actual token)
echo "--- Token Status ---" >> "$BUNDLE_DIR/summary.txt"
echo "MIRO_ACCESS_TOKEN: ${MIRO_ACCESS_TOKEN:+SET (length: ${#MIRO_ACCESS_TOKEN})}" >> "$BUNDLE_DIR/summary.txt"
echo "MIRO_CLIENT_ID: ${MIRO_CLIENT_ID:+SET}" >> "$BUNDLE_DIR/summary.txt"
echo "MIRO_REFRESH_TOKEN: ${MIRO_REFRESH_TOKEN:+SET}" >> "$BUNDLE_DIR/summary.txt"
Step 3: API Connectivity Tests
echo "--- API Connectivity ---" >> "$BUNDLE_DIR/summary.txt"
# DNS resolution
echo -n "DNS resolve api.miro.com: " >> "$BUNDLE_DIR/summary.txt"
nslookup api.miro.com 2>/dev/null | grep "Address" | tail -1 >> "$BUNDLE_DIR/summary.txt" || echo "FAILED" >> "$BUNDLE_DIR/summary.txt"
# HTTPS connectivity (no auth needed)
echo -n "HTTPS to api.miro.com: " >> "$BUNDLE_DIR/summary.txt"
curl -s -o /dev/null -w "%{http_code} (%{time_total}s)" https://api.miro.com 2>&1 >> "$BUNDLE_DIR/summary.txt"
echo "" >> "$BUNDLE_DIR/summary.txt&quoDeploy Miro REST API v2 integrations to Vercel, Fly.
ReadWriteEditBash(vercel:*)Bash(fly:*)Bash(gcloud:*)
Miro Deploy Integration
Overview
Deploy Miro REST API v2 integrations to popular platforms with proper OAuth 2.0 token management, webhook endpoint setup, and health monitoring.
Prerequisites
- Miro app configured with production OAuth credentials
- Access token with required scopes
- Platform CLI installed (vercel, fly, or gcloud)
Vercel Deployment
Environment Variables
# Add Miro secrets to Vercel
vercel env add MIRO_CLIENT_ID production
vercel env add MIRO_CLIENT_SECRET production
vercel env add MIRO_ACCESS_TOKEN production
vercel env add MIRO_WEBHOOK_SECRET production
API Route: Webhook Handler
// api/webhooks/miro.ts (Vercel serverless function)
import crypto from 'crypto';
export const config = { api: { bodyParser: false } };
export default async function handler(req, res) {
if (req.method !== 'POST') return res.status(405).end();
const chunks: Buffer[] = [];
for await (const chunk of req) chunks.push(chunk);
const rawBody = Buffer.concat(chunks);
// Verify Miro webhook signature
const signature = req.headers['x-miro-signature'] as string;
const expected = crypto.createHmac('sha256', process.env.MIRO_WEBHOOK_SECRET!)
.update(rawBody).digest('hex');
if (!signature || !crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
return res.status(401).json({ error: 'Invalid signature' });
}
const event = JSON.parse(rawBody.toString());
// Handle board subscription events
switch (event.event) {
case 'board_subscription_changed':
console.log(`Board ${event.boardId}: item ${event.item?.type} ${event.type}`);
break;
}
res.status(200).json({ received: true });
}
API Route: OAuth Callback
// api/auth/miro/callback.ts
export default async function handler(req, res) {
const { code } = req.query;
const tokenResponse = await fetch('https://api.miro.com/v1/oauth/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'authorization_code',
client_id: process.env.MIRO_CLIENT_ID!,
client_secret: process.env.MIRO_CLIENT_SECRET!,
code: code as string,
redirect_uri: `${process.env.VERCEL_URL}/api/auth/miro/callback`,
}),
});
const tokens = await tokenResponse.json();
// Store tokens securely (database, not env vars)
// tokens.access_token, tokens.refresh_token, tokens.expires_in (3599s)
res.redirect('/dashboard?connected=miro');
}
vercel.json
{
"functions": {
"api/webhooks/miro.ts": { "maxDuration": 10 },
"api/auth/miro/callback.tConfigure Miro Enterprise features: organization management, SCIM provisioning, board-level access control, audit logs, and SSO integration via REST API v2.
ReadWriteEdit
Miro Enterprise RBAC
Overview
Enterprise-grade access control for Miro REST API v2: organization and team management, SCIM user provisioning, board sharing with role-based permissions, and audit log access. Requires Miro Enterprise plan.
Miro Access Hierarchy
Organization (Enterprise)
├── Team 1
│ ├── Board A (sharing: team only)
│ │ ├── Owner (full control)
│ │ ├── Co-owner (full control, can't delete board)
│ │ ├── Editor (can add/edit items)
│ │ ├── Commenter (can add comments only)
│ │ └── Viewer (read-only)
│ └── Board B
├── Team 2
│ └── Board C
└── Projects
└── Project 1 (groups boards)
Board Roles & Permissions
| Role | View | Comment | Edit Items | Share | Delete Board |
|---|---|---|---|---|---|
| Viewer | Yes | No | No | No | No |
| Commenter | Yes | Yes | No | No | No |
| Editor | Yes | Yes | Yes | No | No |
| Co-owner | Yes | Yes | Yes | Yes | No |
| Owner | Yes | Yes | Yes | Yes | Yes |
Board Member Management
// List board members
// GET https://api.miro.com/v2/boards/{board_id}/members
const members = await miroFetch(`/v2/boards/${boardId}/members?limit=50`);
for (const member of members.data) {
console.log(`${member.name} (${member.id}): role=${member.role}`);
}
// Share board with users
// POST https://api.miro.com/v2/boards/{board_id}/members
await miroFetch(`/v2/boards/${boardId}/members`, 'POST', {
emails: ['dev@company.com', 'pm@company.com'],
role: 'editor', // 'viewer' | 'commenter' | 'editor' | 'coowner'
message: 'You have been added to the sprint board',
});
// Update member role
// PATCH https://api.miro.com/v2/boards/{board_id}/members/{member_id}
await miroFetch(`/v2/boards/${boardId}/members/${memberId}`, 'PATCH', {
role: 'commenter',
});
// Remove member from board
// DELETE https://api.miro.com/v2/boards/{board_id}/members/{member_id}
await miroFetch(`/v2/boards/${boardId}/members/${memberId}`, 'DELETE');
Team Management (Enterprise)
// List teams in organization
// GET https://api.miro.com/v2/orgs/{org_id}/teams (Enterprise)
const teams = await miroFetch(`/v2/orgs/${orgId}/teams?limit=50`);
// Get team details
// GET https://api.miro.com/v2/teams/{team_id}
const team = await miroFetch(`/v2/teams/${teamId}`);
// List team members
// GET https://api.miro.com/v2/teams/{team_id}/members
const teamMembers = await miroFetch(`/v2/teams/${teamId}/members?limit=100`);
// Invite user to Create a minimal working Miro example with real board and item operations.
ReadWriteEditBash(npm:*)Bash(npx:*)
Miro Hello World
Overview
Minimal working example: create a board, add a sticky note, add a shape, connect them, and read the results back — all using the Miro REST API v2.
Prerequisites
- Completed
miro-install-authsetup - Valid access token with
boards:readandboards:writescopes @mirohq/miro-apiinstalled
Instructions
Step 1: Create a Board
import { MiroApi } from '@mirohq/miro-api';
const api = new MiroApi(process.env.MIRO_ACCESS_TOKEN!);
async function createBoard() {
// POST https://api.miro.com/v2/boards
const response = await api.createBoard({
name: 'Hello World Board',
description: 'Created via REST API v2',
policy: {
sharingPolicy: {
access: 'private', // 'private' | 'view' | 'comment' | 'edit'
inviteToAccountAndBoardLinkAccess: 'no_access',
},
permissionsPolicy: {
collaborationToolsStartAccess: 'all_editors',
copyAccess: 'anyone',
sharingAccess: 'owners_and_coowners',
},
},
});
const boardId = response.body.id;
console.log(`Board created: ${boardId}`);
console.log(`View at: https://miro.com/app/board/${boardId}/`);
return boardId;
}
Step 2: Add a Sticky Note
async function addStickyNote(boardId: string) {
// POST https://api.miro.com/v2/boards/{board_id}/sticky_notes
const response = await fetch(
`https://api.miro.com/v2/boards/${boardId}/sticky_notes`,
{
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.MIRO_ACCESS_TOKEN}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
data: {
content: 'Hello from the API!',
shape: 'square', // 'square' | 'rectangle'
},
style: {
fillColor: 'light_yellow', // light_yellow | light_green | light_blue | light_pink | etc.
textAlign: 'center', // 'left' | 'center' | 'right'
textAlignVertical: 'middle',
},
position: { x: 0, y: 0 },
geometry: { width: 200 },
}),
}
);
const note = await response.json();
console.log(`Sticky note created: ${note.id} (type: ${note.type})`);
return note.id;
}
Step 3: Add a Shape
async function addShape(boardId: string) {
// POST https://api.miro.com/v2/boards/{board_id}/shapes
const response = await fetch(
`https://api.miro.com/v2/boards/${boardId}/shapes`,
{
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.MIROExecute Miro REST API v2 incident response with triage, mitigation, and postmortem.
ReadGrepBash(curl:*)Bash(jq:*)
Miro Incident Runbook
Overview
Rapid incident response for Miro REST API v2 integration failures: triage, mitigation, recovery, and postmortem.
Severity Levels
| Level | Definition | Response | Example |
|---|---|---|---|
| P1 | Complete integration outage | < 15 min | Miro API returns 5xx on all calls |
| P2 | Degraded service | < 1 hour | High latency, partial 429s |
| P3 | Minor impact | < 4 hours | Webhook delays, single-board errors |
| P4 | No user impact | Next business day | Monitoring gaps, non-critical warnings |
Quick Triage (First 5 Minutes)
#!/bin/bash
# miro-triage.sh — Run this first during any Miro incident
echo "=== MIRO TRIAGE $(date -u +%H:%M:%SZ) ==="
# 1. Is Miro itself down?
echo -n "Miro Status: "
curl -sf "https://status.miro.com/api/v2/status.json" | jq -r '.status.description' 2>/dev/null || echo "STATUS PAGE UNREACHABLE"
# 2. Can we reach the API?
echo -n "API Connectivity: "
curl -s -o /dev/null -w "HTTP %{http_code} (%{time_total}s)" \
-H "Authorization: Bearer ${MIRO_ACCESS_TOKEN}" \
"https://api.miro.com/v2/boards?limit=1" 2>/dev/null
echo ""
# 3. What's our rate limit status?
echo "Rate Limit:"
curl -sI -H "Authorization: Bearer ${MIRO_ACCESS_TOKEN}" \
"https://api.miro.com/v2/boards?limit=1" 2>/dev/null | \
grep -i "x-ratelimit\|retry-after" || echo " No rate limit headers"
# 4. Token validity
echo -n "Token: "
TOKEN_RESP=$(curl -s -H "Authorization: Bearer ${MIRO_ACCESS_TOKEN}" \
"https://api.miro.com/v1/oauth-token" 2>/dev/null)
echo "$TOKEN_RESP" | jq -r '"scopes: \(.scopes // "INVALID"), team: \(.team.id // "N/A")"' 2>/dev/null || echo "INVALID OR EXPIRED"
# 5. Our health check
echo -n "App Health: "
curl -sf "${APP_URL:-http://localhost:3000}/health" | jq -r '.miro.status // "UNAVAILABLE"' 2>/dev/null || echo "HEALTH CHECK FAILED"
Decision Tree
Miro API returning errors?
├── YES → What status code?
│ ├── 401/403 → Token issue
│ │ ├── Token expired? → Refresh token (see below)
│ │ └── Scopes changed? → Re-authorize via OAuth flow
│ ├── 429 → Rate limited
│ │ ├── Check X-RateLimit-Remaining header
│ │ ├── Honor Retry-After header
│ │ └── Reduce request rate or enable queue
│ ├── 404 → Board/item not found
│ │ └── Verify IDs haven't changed
│ └── 500/502/503 → Miro platform issue
│ ├── Check status.miro.com
│ ├── Enable graceful degraInstall and configure Miro REST API v2 authentication with OAuth 2.
ReadWriteEditBash(npm:*)Bash(npx:*)Grep
Miro Install & Auth
Overview
Set up the official @mirohq/miro-api Node.js client and configure OAuth 2.0 authentication against the Miro REST API v2 (https://api.miro.com/v2/).
Prerequisites
- Node.js 18+
- A Miro account (Free, Business, or Enterprise)
- A Miro app created at https://developers.miro.com (Your apps > Create new app)
- Client ID, Client Secret, and OAuth redirect URI from the app settings
Instructions
Step 1: Install the Official SDK
# Official Miro Node.js client
npm install @mirohq/miro-api
# For Express-based OAuth callback server
npm install express dotenv
Step 2: Configure OAuth 2.0 Credentials
# .env (NEVER commit — add to .gitignore)
MIRO_CLIENT_ID=your_client_id
MIRO_CLIENT_SECRET=your_client_secret
MIRO_REDIRECT_URI=http://localhost:3000/auth/miro/callback
MIRO_ACCESS_TOKEN= # Filled after OAuth flow
MIRO_REFRESH_TOKEN= # Filled after OAuth flow
Miro uses standard OAuth 2.0 authorization code flow. Tokens expire in 3599 seconds (approximately 1 hour). Always store and use the refresh token.
Step 3: OAuth 2.0 Authorization Flow
// src/auth.ts
import { Miro } from '@mirohq/miro-api';
import express from 'express';
// High-level client handles token management
const miro = new Miro({
clientId: process.env.MIRO_CLIENT_ID!,
clientSecret: process.env.MIRO_CLIENT_SECRET!,
redirectUrl: process.env.MIRO_REDIRECT_URI!,
// Storage adapter for tokens (implement for production)
storage: {
async get(userId: string) {
// Return stored token for user
return getTokenFromDB(userId);
},
async set(userId: string, token) {
// Persist token
await saveTokenToDB(userId, token);
},
},
});
const app = express();
// Step 1: Redirect user to Miro authorization page
app.get('/auth/miro', (req, res) => {
const authUrl = miro.getAuthUrl();
res.redirect(authUrl);
});
// Step 2: Handle OAuth callback
app.get('/auth/miro/callback', async (req, res) => {
const { code } = req.query;
if (!code || typeof code !== 'string') {
return res.status(400).send('Missing authorization code');
}
try {
// Exchange code for access_token + refresh_token
await miro.exchangeCodeForAccessToken('default-user', code);
res.send('Miro connected successfully!');
} catch (err) {
console.error('Token exchange failed:', err);
res.status(500).send('Authentication failed');
}
});
app.listen(3000, () => console.log('OAuth server at http://localhost:3000'));
Step 4: Direct API Access (Access Token Only)
For scripts and automation where you already have an access token:
Configure Miro local development with hot reload, testing, and ngrok tunneling.
ReadWriteEditBash(npm:*)Bash(npx:*)Grep
Miro Local Dev Loop
Overview
Set up a fast local development workflow for building Miro integrations, including hot reload, test mocking against the REST API v2, and ngrok tunneling for webhooks.
Prerequisites
- Completed
miro-install-authsetup - Node.js 18+ with npm or pnpm
- Access token with
boards:readandboards:writescopes - ngrok (for webhook development)
Instructions
Step 1: Project Structure
my-miro-app/
├── src/
│ ├── miro/
│ │ ├── client.ts # MiroApi wrapper singleton
│ │ ├── boards.ts # Board CRUD operations
│ │ ├── items.ts # Item operations (sticky notes, shapes, etc.)
│ │ └── types.ts # Response type definitions
│ ├── webhooks/
│ │ └── handler.ts # Webhook event processing
│ └── index.ts
├── tests/
│ ├── miro-client.test.ts
│ └── fixtures/
│ ├── board.json # Sample board response
│ └── sticky-note.json # Sample item response
├── .env.local # Local secrets (git-ignored)
├── .env.example # Template for team
├── package.json
└── tsconfig.json
Step 2: Package Configuration
{
"scripts": {
"dev": "tsx watch src/index.ts",
"test": "vitest",
"test:watch": "vitest --watch",
"test:integration": "MIRO_TEST_MODE=live vitest run tests/integration/",
"tunnel": "ngrok http 3000",
"typecheck": "tsc --noEmit"
},
"dependencies": {
"@mirohq/miro-api": "^2.0.0",
"express": "^4.18.0",
"dotenv": "^16.0.0"
},
"devDependencies": {
"tsx": "^4.0.0",
"vitest": "^1.0.0",
"typescript": "^5.0.0"
}
}
Step 3: Miro Client Singleton
// src/miro/client.ts
import { MiroApi } from '@mirohq/miro-api';
let instance: MiroApi | null = null;
export function getMiroApi(): MiroApi {
if (!instance) {
const token = process.env.MIRO_ACCESS_TOKEN;
if (!token) throw new Error('MIRO_ACCESS_TOKEN not set');
instance = new MiroApi(token);
}
return instance;
}
// For testing — allow injecting a mock
export function resetMiroApi(): void {
instance = null;
}
Step 4: Test Fixtures from Real API Responses
// tests/fixtures/board.json
{
"id": "uXjVN1234567890",
"type": "board",
"name": "Test Board",
"description": "Fixture for unit tests",
"createdAt": "2025-01-15T10:00:00Z",
"modifiedAt": "2025-01-Execute major Miro migrations — migrate boards between teams/orgs, export board content to external systems, import data into Miro, and re-platform from competing whiteboard tools using REST API v2.
ReadWriteEditBash(npm:*)Bash(node:*)
Miro Migration Deep Dive
Overview
Comprehensive guide for migrating Miro boards between teams and organizations, updating
from REST API v1 to v2, and re-platforming from competing whiteboard tools (Lucidchart,
FigJam). Covers board content export with cursor pagination, bulk import with rate-limit
aware queuing, widget API changes between v1 and v2, and the new app framework patterns.
Typical migration scope: dozens to thousands of boards with connectors, tags, and members.
Migration Assessment
// Scan current integration for deprecated v1 patterns and board inventory
async function assessMigration(teamId: string) {
const boards = await miroFetch(`/v2/boards?team_id=${teamId}&limit=50`);
let totalItems = 0;
for (const board of boards.data) {
const items = await miroFetch(`/v2/boards/${board.id}/items?limit=1`);
totalItems += items.total ?? 0;
}
console.log(`Team ${teamId}: ${boards.data.length} boards, ~${totalItems} items`);
console.log('API version: v2 (v1 deprecated 2024-01)');
console.log('Widget types to migrate: sticky_note, shape, card, text, frame, image, connector');
return { boardCount: boards.data.length, totalItems };
}
Step-by-Step Migration
Phase 1: Prepare — Export Source Boards
Export every item on a board to a structured JSON file with cursor-paginated reads:
interface BoardExport {
exportedAt: string;
board: { id: string; name: string; description: string; owner: { id: string; name: string } };
items: any[]; connectors: any[]; tags: any[]; members: any[];
}
async function exportBoard(boardId: string): Promise<BoardExport> {
const board = await miroFetch(`/v2/boards/${boardId}`);
const items = await paginateAll(`/v2/boards/${boardId}/items`);
const connectors = await paginateAll(`/v2/boards/${boardId}/connectors`);
const tags = await miroFetch(`/v2/boards/${boardId}/tags`);
const members = await miroFetch(`/v2/boards/${boardId}/members?limit=100`);
return {
exportedAt: new Date().toISOString(),
board: { id: board.id, name: board.name, description: board.description ?? '',
owner: { id: board.owner?.id, name: board.owner?.name } },
items: items.map(i => ({ id: i.id, type: i.type, data: i.data, style: i.style,
position: i.position, geometry: i.geometry, parentId: i.parent?.id })),
connectors, tags: tags.data ?? [], members: members.data ?? [],
};
}
async function paginateAll(baseUrl: string): Promise<any[]> {
const all: any[] = [];
let cursor: string | undefined;
do {
const params = new URLSearchParams({ limit: '50' });
if (cursor) params.set('cursor', cursor);
const page = await miroFetch(`${baseUrl}?${params}`);
all.push(...page.data);
cursor = page.cursor;
} while (cursor);
return all;
}
Configure Miro REST API v2 across development, staging, and production with separate OAuth apps, isolated test boards, and secret management.
ReadWriteEditBash(gcloud:*)Bash(aws:*)Bash(vault:*)
Miro Multi-Environment Setup
Overview
Configure separate Miro app credentials, OAuth scopes, and board access for development, staging, and production. Miro does not provide a sandbox API; all environments use https://api.miro.com/v2/ — isolation is achieved through separate apps and dedicated boards.
Environment Strategy
| Environment | Miro App | Boards | Scopes | Token Storage |
|---|---|---|---|---|
| Development | MyApp (Dev) |
1 dedicated test board | boards:read, boards:write |
.env.local |
| Staging | MyApp (Staging) |
Staging workspace boards | All required scopes | Secret Manager |
| Production | MyApp (Production) |
Production boards | Minimum required scopes | Secret Manager + rotation |
Key insight: Create a separate Miro app at https://developers.miro.com for each environment. This gives you independent client IDs, secrets, and OAuth redirect URIs.
Configuration Structure
config/
├── miro.base.ts # Shared settings (timeouts, retry policy)
├── miro.development.ts # Dev overrides
├── miro.staging.ts # Staging overrides
└── miro.production.ts # Prod overrides
Base Configuration
// config/miro.base.ts
export const miroBaseConfig = {
apiBase: 'https://api.miro.com/v2',
tokenEndpoint: 'https://api.miro.com/v1/oauth/token',
timeout: 30000,
retries: 3,
backoff: { baseMs: 1000, maxMs: 32000, jitterMs: 500 },
cache: { ttlSeconds: 120 },
rateLimit: { maxConcurrency: 5, requestsPerSecond: 10 },
};
Environment Configs
// config/miro.development.ts
import { miroBaseConfig } from './miro.base';
export const miroDevConfig = {
...miroBaseConfig,
clientId: process.env.MIRO_CLIENT_ID!,
clientSecret: process.env.MIRO_CLIENT_SECRET!,
redirectUri: 'http://localhost:3000/auth/miro/callback',
testBoardId: process.env.MIRO_TEST_BOARD_ID, // Dedicated dev board
cache: { ttlSeconds: 10 }, // Short TTL for dev
logLevel: 'debug',
};
// config/miro.staging.ts
export const miroStagingConfig = {
...miroBaseConfig,
clientId: process.env.MIRO_CLIENT_ID_STAGING!,
clientSecret: process.env.MIRO_CLIENT_SECRET_STAGING!,
redirectUri: 'https://staging.myapp.com/auth/miro/callback',
cache: { ttlSeconds: 60 },
logLevel: 'info',
};
// config/miro.production.ts
export const miroProdConfig = {
...miroBaseConfig,
clientId: process.env.MIRO_CLIENT_ID_PROD!,
clientSecret: process.env.MIRO_CLIENT_SECRET_PROD!,
redirectUri: 'https://myapp.com/auth/miro/cSet up observability for Miro REST API v2 integrations with Prometheus metrics, OpenTelemetry traces, structured logging, and Grafana dashboards.
ReadWriteEdit
Miro Observability
Overview
Comprehensive monitoring for Miro REST API v2 integrations: Prometheus metrics for request rates and latency, OpenTelemetry traces for request flow, structured logging, and alerting for rate limit and error conditions.
Key Metrics
| Metric | Type | Labels | Purpose |
|---|---|---|---|
mirorequeststotal |
Counter | method, endpoint, status | Request volume |
mirorequestduration_seconds |
Histogram | method, endpoint | Latency distribution |
miroerrorstotal |
Counter | error_type, endpoint | Error tracking |
miroratelimit_remaining |
Gauge | — | Credit headroom |
miroratelimitcreditsused |
Gauge | — | Credit consumption |
mirowebhookevents_total |
Counter | eventtype, itemtype | Webhook volume |
mirotokenrefresh_total |
Counter | status | OAuth health |
Prometheus Metrics
import { Registry, Counter, Histogram, Gauge } from 'prom-client';
const registry = new Registry();
registry.setDefaultLabels({ app: 'miro-integration' });
const requestCounter = new Counter({
name: 'miro_requests_total',
help: 'Total Miro REST API v2 requests',
labelNames: ['method', 'endpoint', 'status'] as const,
registers: [registry],
});
const requestDuration = new Histogram({
name: 'miro_request_duration_seconds',
help: 'Miro API request latency',
labelNames: ['method', 'endpoint'] as const,
buckets: [0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10],
registers: [registry],
});
const errorCounter = new Counter({
name: 'miro_errors_total',
help: 'Miro API errors by type',
labelNames: ['error_type', 'endpoint'] as const,
registers: [registry],
});
const rateLimitRemaining = new Gauge({
name: 'miro_rate_limit_remaining',
help: 'Miro rate limit credits remaining',
registers: [registry],
});
const rateLimitUsed = new Gauge({
name: 'miro_rate_limit_credits_used',
help: 'Miro rate limit credits used in current window',
registers: [registry],
});
const webhookCounter = new Counter({
name: 'miro_webhook_events_total',
help: 'Miro webhook events received',
labelNames: ['event_type', 'item_type'] as const,
registers: [registry],
});
Instrumented API Client
class InstrumentedMiroClient {
async fetch<TOptimize Miro REST API v2 performance with caching, cursor pagination, request batching, and connection pooling for high-throughput integrations.
ReadWriteEdit
Miro Performance Tuning
Overview
Optimize Miro REST API v2 throughput and latency. Key levers: minimize API calls with cursor pagination, cache board/item data, batch writes with controlled concurrency, and use connection pooling.
Latency Benchmarks
Typical latencies for api.miro.com (US region):
| Operation | Endpoint | P50 | P95 | Credits |
|---|---|---|---|---|
| Get board | GET /v2/boards/{id} |
80ms | 200ms | Level 1 |
| List items (50) | GET /v2/boards/{id}/items?limit=50 |
120ms | 350ms | Level 1 |
| Create sticky note | POST /v2/boards/{id}/sticky_notes |
150ms | 400ms | Level 2 |
| Create connector | POST /v2/boards/{id}/connectors |
160ms | 420ms | Level 2 |
| Update item | PATCH /v2/boards/{id}/items/{id} |
130ms | 350ms | Level 2 |
| Delete item | DELETE /v2/boards/{id}/items/{id} |
100ms | 280ms | Level 2 |
Cursor Pagination (Eliminate Over-Fetching)
Miro v2 uses cursor-based pagination. Fetch only what you need.
// Efficient paginated iterator
async function* paginateItems(
boardId: string,
options: { type?: string; limit?: number } = {}
): AsyncGenerator<MiroBoardItem> {
const limit = options.limit ?? 50; // Max 50 per page
let cursor: string | undefined;
do {
const params = new URLSearchParams({ limit: String(limit) });
if (options.type) params.set('type', options.type);
if (cursor) params.set('cursor', cursor);
const response = await fetch(
`https://api.miro.com/v2/boards/${boardId}/items?${params}`,
{ headers: { 'Authorization': `Bearer ${token}` } }
);
const page = await response.json();
for (const item of page.data) {
yield item;
}
cursor = page.cursor; // undefined when no more pages
} while (cursor);
}
// Usage: process items without loading entire board into memory
for await (const item of paginateItems(boardId, { type: 'sticky_note' })) {
await processItem(item);
}
Caching Strategy
In-Memory Cache (Single Instance)
import { LRUCache } from 'lru-cache';
const boardCache = new LRUCache<string, unknown>({
max: 500, // Max 500 cached entries
ttl: 60_000, // 1 minute TTL
updateAgeOnGet: true, // Extend TTL on access
updateAgeOnHas: false,
});
async function getCachedBoard(boardId: string): Promise<MiroBoard> {
const cacheKey = `board:${boardId}`;
const cached = boardCacheExecute Miro REST API v2 production deployment checklist and rollback procedures.
ReadBash(curl:*)Grep
Miro Production Checklist
Overview
Complete checklist for deploying Miro REST API v2 integrations to production, covering OAuth configuration, rate limit readiness, monitoring, and rollback.
Pre-Deployment: OAuth & Scopes
- [ ] Production Miro app created at https://developers.miro.com (separate from dev app)
- [ ] OAuth scopes minimized — only scopes actively used (see
miro-security-basics) - [ ] Redirect URI points to production HTTPS endpoint
- [ ] Client secret stored in secret manager (not env vars on disk)
- [ ] Token refresh logic tested — handles expired tokens gracefully
- [ ] Token storage uses encrypted database or vault (not filesystem)
Pre-Deployment: Code Quality
- [ ] No hardcoded tokens — scan with
grep -r "eyJ\|Bearer " src/ - [ ] Error handling covers all Miro HTTP status codes (400, 401, 403, 404, 429, 5xx)
- [ ] Rate limiting — backoff with
Retry-Afterheader support (seemiro-rate-limits) - [ ] Webhook signatures validated with timing-safe comparison
- [ ] Pagination handled for all list endpoints (
cursorparameter) - [ ] Content-Type header set to
application/jsonon all POST/PATCH requests - [ ] All tests passing including integration tests against test board
Pre-Deployment: Infrastructure
- [ ] Health check endpoint verifies Miro API connectivity
// GET /health
async function healthCheck() {
const start = Date.now();
try {
const response = await fetch('https://api.miro.com/v2/boards?limit=1', {
headers: { 'Authorization': `Bearer ${token}` },
signal: AbortSignal.timeout(5000),
});
return {
miro: {
status: response.ok ? 'healthy' : 'degraded',
latencyMs: Date.now() - start,
rateLimitRemaining: response.headers.get('X-RateLimit-Remaining'),
},
};
} catch (error) {
return {
miro: { status: 'unhealthy', latencyMs: Date.now() - start, error: error.message },
};
}
}
- [ ] Circuit breaker configured for Miro API calls
class MiroCircuitBreaker {
private failures = 0;
private lastFailure = 0;
private readonly threshold = 5;
private readonly resetMs = 60000;
async execute<T>(operation: () => Promise<T>): Promise<T> {
if (this.isOpen()) {
throw new Error('Miro circuit breaker is open — API calls suspended');
}
try {
const result = Implement Miro REST API v2 rate limiting with the credit-based system, exponential backoff, and request queuing.
ReadWriteEdit
Miro Rate Limits
Overview
Miro measures API usage in credits, not raw request counts. Each endpoint consumes a different number of credits based on complexity. The global limit is 100,000 credits per minute per app.
Credit System
Rate Limit Levels
Each Miro REST API endpoint is assigned a rate limit level that determines its credit cost:
| Level | Credits per Call | Example Endpoints |
|---|---|---|
| Level 1 | Lower cost | GET single board, GET single item |
| Level 2 | Medium cost | POST create sticky note, POST create shape, POST create connector |
| Level 3 | Higher cost | Batch operations, complex queries |
| Level 4 | Highest cost | Export, bulk data operations |
The exact credit cost per level is subject to change. Monitor via response headers.
Rate Limit Response Headers
Every Miro API response includes these headers:
| Header | Description | Example |
|---|---|---|
X-RateLimit-Limit |
Total credits allocated per minute | 100000 |
X-RateLimit-Remaining |
Credits remaining in current window | 99850 |
X-RateLimit-Reset |
Unix timestamp when window resets | 1700000060 |
When rate limited, the response also includes:
| Header | Description | Example |
|---|---|---|
Retry-After |
Seconds to wait before retrying | 30 |
Exponential Backoff with Jitter
interface BackoffConfig {
maxRetries: number;
baseDelayMs: number;
maxDelayMs: number;
jitterMs: number;
}
const DEFAULT_BACKOFF: BackoffConfig = {
maxRetries: 5,
baseDelayMs: 1000,
maxDelayMs: 32000,
jitterMs: 500,
};
async function withBackoff<T>(
operation: () => Promise<Response>,
config = DEFAULT_BACKOFF
): Promise<T> {
for (let attempt = 0; attempt <= config.maxRetries; attempt++) {
const response = await operation();
if (response.ok) {
return response.json();
}
// Only retry on 429 and 5xx
if (response.status !== 429 && response.status < 500) {
const error = await response.json().catch(() => ({}));
throw new Error(`Miro API ${response.status}: ${error.message ?? 'Request failed'}`);
}
if (attempt === config.maxRetries) {
throw new Error(`Miro API: Max retries (${config.maxRetries}) exceeded`);
}
// Prefer Retry-After header if available
const retryAfter = response.headers.gImplement a production-ready reference architecture for Miro REST API v2 integrations with layered design, caching, and event processing.
ReadGrep
Miro Reference Architecture
Overview
Production-ready architecture for Miro REST API v2 integrations. Layered design with a board service, item factory, webhook event processor, and caching layer.
Architecture Diagram
┌──────────────────────────────────────────────────────────┐
│ API / UI Layer │
│ Express routes, Next.js API routes, CLI commands │
├──────────────────────────────────────────────────────────┤
│ Service Layer │
│ BoardService, ItemService, SyncService │
│ (business logic, orchestration, validation) │
├──────────────────────────────────────────────────────────┤
│ Miro Client Layer │
│ MiroApiClient (REST v2), TokenManager (OAuth 2.0) │
│ ItemFactory (typed creation), ConnectorBuilder │
├──────────────────────────────────────────────────────────┤
│ Infrastructure Layer │
│ Cache (LRU/Redis), Queue (PQueue), Monitor (metrics) │
│ WebhookProcessor (signature + idempotency) │
└──────────────────────────────────────────────────────────┘
│
▼
https://api.miro.com/v2/
Project Structure
src/
├── miro/
│ ├── client.ts # MiroApiClient — wraps fetch with auth, retries, monitoring
│ ├── token-manager.ts # OAuth 2.0 token lifecycle (refresh, storage)
│ ├── item-factory.ts # Typed item creation (sticky notes, shapes, cards, etc.)
│ ├── connector-builder.ts # Fluent API for creating connectors
│ ├── types.ts # TypeScript types for all Miro v2 responses
│ └── errors.ts # MiroApiError, MiroAuthError, MiroRateLimitError
├── services/
│ ├── board-service.ts # Board CRUD + member management
│ ├── item-service.ts # Item CRUD + tag operations
│ ├── sync-service.ts # Two-way sync between Miro and your database
│ └── search-service.ts # Find items by content, type, or tag
├── webhooks/
│ ├── handler.ts # Express/serverless webhook endpoint
│ ├── processor.ts # Event routing and processing
│ └── idempotency.ts # Duplicate event prevention
├── cache/
│ ├── board-cache.ts # Board metadata cache
│ └── item-cache.ts # Item data cache with webhook invalidation
├── config/
│ ├── miro.ts # Environment-based Miro configuration
│ └── index.ts # Config loader
└── monitoring/
├── metrics.ts # Prometheus counters/histograms for Miro API
└── health.ts # Health check endpoint
Core Components
MiroApiClient
// src/miro/client.ts
export class MiroApiClient {
constructor(
private tokenManager: TokenManager,
Apply production-ready patterns for @mirohq/miro-api client usage.
ReadWriteEdit
Miro SDK Patterns
Overview
Production-ready patterns for the @mirohq/miro-api Node.js client and direct REST API v2 usage. Covers the high-level Miro client (stateful, OAuth-aware) and the low-level MiroApi client (stateless, token-based).
Prerequisites
@mirohq/miro-apiinstalled- TypeScript 5+ project
- Understanding of Miro REST API v2 item model
Two Client Modes
import { Miro, MiroApi } from '@mirohq/miro-api';
// HIGH-LEVEL: Stateful, manages OAuth tokens per user
// Use for multi-user apps (SaaS, web apps with OAuth)
const miro = new Miro({
clientId: process.env.MIRO_CLIENT_ID!,
clientSecret: process.env.MIRO_CLIENT_SECRET!,
redirectUrl: process.env.MIRO_REDIRECT_URI!,
});
const userApi = await miro.as('user-id'); // Returns MiroApi scoped to user
// LOW-LEVEL: Stateless, pass token directly
// Use for scripts, automation, single-user integrations
const api = new MiroApi(process.env.MIRO_ACCESS_TOKEN!);
Pattern 1: Type-Safe Board Service
// src/miro/board-service.ts
import { MiroApi } from '@mirohq/miro-api';
// Response types matching Miro REST API v2
interface MiroBoard {
id: string;
type: 'board';
name: string;
description: string;
createdAt: string;
modifiedAt: string;
}
interface MiroBoardItem {
id: string;
type: 'sticky_note' | 'shape' | 'card' | 'text' | 'frame' | 'image' | 'document' | 'embed' | 'app_card';
data: Record<string, unknown>;
position: { x: number; y: number; origin: string };
geometry?: { width?: number; height?: number };
createdAt: string;
createdBy: { id: string; type: string };
}
interface PaginatedResponse<T> {
data: T[];
total: number;
size: number;
offset: number;
limit: number;
cursor?: string;
}
export class BoardService {
constructor(private api: MiroApi) {}
async getBoard(boardId: string): Promise<MiroBoard> {
const response = await this.api.getBoard(boardId);
return response.body as unknown as MiroBoard;
}
async listItems(
boardId: string,
options: { type?: string; limit?: number; cursor?: string } = {}
): Promise<PaginatedResponse<MiroBoardItem>> {
const params = new URLSearchParams();
if (options.type) params.set('type', options.type);
if (options.limit) params.set('limit', String(options.limit));
if (options.cursor) params.set('cursor', options.cursor);
const response = await fetch(
`https://api.miro.com/v2/boards/${boardId}/items?${params}`,
{ headers: this.authHeaders() }
);
return response.json();
}
async getAllItems(boardId: string): Promise<MiroBoardItem[]> {
const items: MiroBoardItem[] = [];
Apply Miro REST API v2 security best practices — OAuth scope minimization, token storage, webhook signature validation, and secret rotation.
ReadWriteGrep
Miro Security Basics
Overview
Security best practices for Miro OAuth 2.0 tokens, webhook signatures, and access control across the REST API v2.
Prerequisites
- Miro app created at https://developers.miro.com
- Understanding of OAuth 2.0 concepts
- Secret management solution for production
OAuth Token Security
Never Store Tokens in Code
# .env (NEVER commit to git)
MIRO_CLIENT_ID=3458764500000001
MIRO_CLIENT_SECRET=your_client_secret_here
MIRO_ACCESS_TOKEN=eyJ...
MIRO_REFRESH_TOKEN=eyJ...
# .gitignore — MUST include these
.env
.env.local
.env.*.local
*.pem
Scope Minimization
Request only the scopes your app actually needs. Fewer scopes = smaller blast radius if a token is compromised.
| Use Case | Minimum Scopes |
|---|---|
| Read-only dashboard | boards:read |
| Board automation | boards:read, boards:write |
| Team management | boards:read, team:read, team:write |
| Enterprise admin | boards:read, organizations:read, auditlogs:read |
| Full integration | boards:read, boards:write, identity:read |
Token Lifecycle Management
// src/miro/token-manager.ts
interface TokenInfo {
accessToken: string;
refreshToken: string;
expiresAt: number; // Unix timestamp in ms
scopes: string[];
}
class MiroTokenManager {
constructor(
private storage: TokenStorage, // DB, Redis, or Vault
private clientId: string,
private clientSecret: string,
) {}
async getValidToken(userId: string): Promise<string> {
const info = await this.storage.get(userId);
if (!info) throw new Error('User not authorized');
// Refresh 5 minutes before expiry
if (Date.now() > info.expiresAt - 300_000) {
return this.refreshToken(userId, info.refreshToken);
}
return info.accessToken;
}
private async refreshToken(userId: string, refreshToken: string): Promise<string> {
const response = await fetch('https://api.miro.com/v1/oauth/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'refresh_token',
client_id: this.clientId,
client_secret: this.clientSecret,
refresh_token: refreshToken,
}),
});
if (!response.ok) {
// Refresh token revoked or expired — user must re-authorize
await this.storage.delete(userId);
throw new Error('Miro refresh token invalid. User must re-authorize.');
}
consMigrate Miro integrations from REST API v1 to v2 and upgrade @mirohq/miro-api SDK.
ReadWriteEditBash(npm:*)Bash(npx:*)
Miro Upgrade & Migration
Overview
Guide for migrating from Miro REST API v1 to v2, upgrading the @mirohq/miro-api SDK, and handling the key breaking changes between versions.
Key Breaking Changes: v1 to v2
Terminology Changes
| v1 Term | v2 Term | Notes |
|---|---|---|
| Widget | Item | All board elements renamed |
| Line | Connector | Lines renamed, gained captions and snapTo |
| Sticker | Sticky Note | Type value: sticky_note |
| Widget API (polymorphic) | Per-type endpoints | No more universal create endpoint |
text property |
content property |
In data objects |
shapeType |
shape (in data) |
Moved from style to data object |
startWidget / endWidget |
startItem / endItem |
Connector endpoints |
| Board User Connection | Board Member | Sharing/permissions model |
Endpoint Migration Map
# v1 (DEPRECATED) → v2 (CURRENT)
POST /v1/boards/{id}/widgets → POST /v2/boards/{id}/sticky_notes
POST /v2/boards/{id}/shapes
POST /v2/boards/{id}/cards
POST /v2/boards/{id}/texts
POST /v2/boards/{id}/frames
POST /v2/boards/{id}/images
POST /v2/boards/{id}/documents
POST /v2/boards/{id}/embeds
POST /v2/boards/{id}/app_cards
GET /v1/boards/{id}/widgets → GET /v2/boards/{id}/items
GET /v1/boards/{id}/widgets/{widget_id} → GET /v2/boards/{id}/items/{item_id}
(or type-specific: /v2/boards/{id}/sticky_notes/{item_id})
POST /v1/boards/{id}/widgets (type: line) → POST /v2/boards/{id}/connectors
GET /v1/boards/{id}/widgets?type=line → GET /v2/boards/{id}/connectors
Request Body Changes
// v1: Create a sticky note (via universal widgets endpoint)
// POST /v1/boards/{id}/widgets
{
"type": "sticker",
"text": "Hello World",
"style": {
"stickerBackgroundColor": "#FFFF00"
},
"x": 100,
"y": 200,
"width": 200
}
// v2: Create a sticky note (dedicated endpoint)
// POST /v2/boards/{id}/sticky_notes
{
"data": {
&quoImplement Miro REST API v2 webhooks with board subscriptions, event handling, and signature verification for real-time board change notifications.
ReadWriteEditBash(curl:*)
Miro Webhooks & Events
Overview
Receive real-time notifications when items on a Miro board change. Miro uses board subscriptions via the /v2-experimental/webhooks/board_subscriptions endpoint. All board item types are supported except tags, connectors, and comments.
Prerequisites
- Access token with
boards:readscope - HTTPS endpoint accessible from the internet
- Webhook signing secret (generated when creating subscription)
Create a Board Subscription
// POST https://api.miro.com/v2-experimental/webhooks/board_subscriptions
async function createBoardSubscription(boardId: string, callbackUrl: string) {
const response = await fetch(
'https://api.miro.com/v2-experimental/webhooks/board_subscriptions',
{
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.MIRO_ACCESS_TOKEN}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
boardId,
callbackUrl, // Must be HTTPS
status: 'enabled', // 'enabled' | 'disabled'
}),
}
);
const subscription = await response.json();
console.log(`Subscription created: ${subscription.id}`);
console.log(`Type: ${subscription.type}`); // 'board_subscription'
return subscription;
}
Manage Subscriptions
// List subscriptions
// GET https://api.miro.com/v2-experimental/webhooks/board_subscriptions
const list = await miroFetch('/v2-experimental/webhooks/board_subscriptions');
// Get a specific subscription
// GET https://api.miro.com/v2-experimental/webhooks/board_subscriptions/{subscription_id}
const sub = await miroFetch(`/v2-experimental/webhooks/board_subscriptions/${subId}`);
// Update subscription (enable/disable)
// PATCH https://api.miro.com/v2-experimental/webhooks/board_subscriptions/{subscription_id}
await miroFetch(`/v2-experimental/webhooks/board_subscriptions/${subId}`, 'PATCH', {
status: 'disabled',
});
// Delete subscription
// DELETE https://api.miro.com/v2-experimental/webhooks/board_subscriptions/{subscription_id}
await miroFetch(`/v2-experimental/webhooks/board_subscriptions/${subId}`, 'DELETE');
Event Payload Structure
When a board item is created, updated, or deleted, Miro sends a POST request to your callback URL:
{
"event": "board_subscription_changed",
"type": "update",
"boardId": "uXjVN1234567890",
"item": {
"id": "3458764500000001",
"type": "sticky_note"
},
"changes": [
{
"property": "data.content",
"previousValue": "OlReady to use miro-pack?
Related Plugins
excel-analyst-pro
Professional financial modeling toolkit for Claude Code with auto-invoked Skills and Excel MCP integration. Build DCF models, LBO analysis, variance reports, and pivot tables using natural language.
brand-strategy-framework
A 7-part brand strategy framework for building comprehensive brand foundations - the same methodology top agencies use with Fortune 500 clients.
clay-pack
Complete Clay integration skill pack with 30 skills covering data enrichment, waterfall workflows, AI agents, and GTM automation. Flagship+ tier vendor pack.
instantly-pack
Complete Instantly integration skill pack with 24 skills covering cold email, outreach automation, and lead generation. Flagship tier vendor pack.
apollo-pack
Complete Apollo integration skill pack with 24 skills covering sales engagement, prospecting, sequencing, analytics, and outbound automation. Flagship tier vendor pack.
juicebox-pack
Complete Juicebox integration skill pack with 24 skills covering people data, enrichment, contact search, and AI-powered discovery. Flagship tier vendor pack.
Tags
mirosaassdkintegration