Bolt.new AI and Harvest integration: Step-by-Step Guide 2025

To integrate Bolt.new AI with Harvest, you don’t connect “Bolt to Harvest” directly. Instead, you build a small app or script inside Bolt.new that talks to Harvest’s real REST API using a Harvest Personal Access Token or OAuth2. In practice, the simplest and fastest valid approach is: create a server route in your Bolt.new project, store your Harvest token as an environment variable, and call Harvest’s API over HTTPS using standard fetch. Bolt.new will run that code in its sandbox exactly like a normal Node server, so as long as your code and credentials are correct, the integration works exactly the same way it would in any real-world deployment.

 

What You Actually Do

 

You integrate Bolt.new with Harvest by wiring your Bolt-generated backend to Harvest’s REST API. That’s it. You authenticate using a Harvest Personal Access Token (the easiest method), set it in Environment Variables within Bolt, and write normal API calls. Bolt.new doesn’t require special connectors.

• Harvest provides a REST API: https://help.getharvest.com/api-v2/introduction/overview/
• Auth method: HTTP Basic Auth where username = your personal access token, password = blank
• Bolt.new backend: Standard Node.js + fetch()
• Data flow: Your Bolt route → Harvest API → JSON response

 

Step-by-Step: Make a Harvest API Call from Bolt.new

 

The example below shows how to fetch your list of clients from Harvest inside Bolt.new. Replace the token with your real one stored in your environment variables.

 

// app/routes/harvest.clients.js
import express from 'express';

const router = express.Router();

router.get('/harvest/clients', async (req, res) => {
  try {
    const response = await fetch('https://api.harvestapp.com/v2/clients', {
      method: 'GET',
      headers: {
        // Harvest uses Basic auth: username = PAT, password = "" (empty)
        'Authorization': 'Basic ' + Buffer.from(process.env.HARVEST_PAT + ':').toString('base64'),
        'Harvest-Account-ID': process.env.HARVEST_ACCOUNT_ID, // Required header
        'User-Agent': 'bolt-new-integration ([email protected])' // Harvest requires a UA string
      }
    });

    const data = await response.json();
    res.json(data);

  } catch (err) {
    console.error('Harvest API error:', err);
    res.status(500).json({ error: 'Failed to talk to Harvest' });
  }
});

export default router;

 

How to Set Up the Required Auth in Bolt.new

 

You must configure your Harvest credentials as environment variables inside Bolt.new (the same way you would in a real cloud environment).

• HARVEST\_PAT = your Personal Access Token
• HARVEST_ACCOUNT_ID = the numeric account ID shown in your Harvest account settings

In Bolt.new, open the left panel → Environment Variables → add these two keys. Never hardcode the token in source code.

 

How the Auth Works (Plain Explanation)

 

Harvest doesn’t use API keys in the URL. Instead, you send your personal access token as a Basic Auth username. Basic Auth takes "username:password", encodes it as Base64, and sends it in the Authorization header. Because the password is blank for Harvest PATs, you encode "PAT:". Your Bolt backend does that automatically using Node's Buffer.

Harvest additionally requires the Harvest-Account-ID header for every request. If you forget it, your request fails even if your token is correct.

 

Testing the Integration Inside Bolt.new

 

• Run the dev server in Bolt.new.
• Hit your route in the browser, ex: http://localhost:3000/harvest/clients.
• If authentication is correct, you’ll see JSON with your Harvest client list.

 

Hardening for Production

 

• Move the same environment variables into your real hosting platform (Vercel, Render, Fly.io, etc.).
• NEVER store tokens in frontend code.
• Put all Harvest calls behind authenticated backend routes.
• Use HTTPS everywhere (Bolt.dev server already does this when deployed).

 

Common Mistakes to Avoid

 

• Forgetting the Harvest-Account-ID header (this is the #1 error).
• Using OAuth2 when you don’t need it (PAT is simpler unless you're building a multi-user SaaS).
• Putting your token in client-side JavaScript (never do this).
• Not setting a User-Agent header (Harvest requires it).

 

When to Use OAuth Instead of PAT

 

If you’re only integrating your own Harvest account, use a PAT. If your Bolt app will let multiple users connect their own Harvest accounts, then you must implement OAuth2 using Harvest’s documented flow. Bolt.new supports this because it’s just standard OAuth redirect URLs and token exchange via HTTPS.

• Frontend sends user to Harvest’s authorization URL.
• User approves.
• Harvest redirects back to your Bolt route with a code.
• Your Bolt backend exchanges the code for access + refresh tokens.

It’s normal Node.js OAuth — no special Bolt APIs.

 

That’s everything you need: Harvest provides a normal REST API, and Bolt.new acts as your browser-based development environment in which you build a backend route that talks to Harvest securely using environment variables and fetch. This is the real, correct, and complete way to integrate the two systems.