.gif)
We build custom applications 5x faster and cheaper 🚀
Book a Free Consultation
Stuck on an error? Book a 30-minute call with an engineer and get a direct fix + next steps. No pressure, no commitment.
To integrate Replit with Todoist, you use Todoist’s official REST API over HTTPS inside your Repl. You create a developer app in Todoist to obtain an API token, store it safely in Replit Secrets, and then make authenticated HTTP requests using that token. With these requests, you can do real actions: read your task list, add new tasks, mark tasks as complete, etc. The integration runs as a typical Node.js, Python, or Flask/Express app that binds to 0.0.0.0 and can receive Todoist webhooks if needed. Everything is explicit and controlled with environment variables — there is no magical linking mechanism between Replit and Todoist.
1. Set up Todoist developer access
2. Store secrets in Replit
.png)
.png)
TODOIST\_TOKEN storing your Todoist personal API token.
3. Write code to interact with Todoist
fetch or Python with requests. Below is a working Node.js example.
// Import node-fetch (built-in in newer Node versions or install with npm i node-fetch)
import express from "express"
import fetch from "node-fetch"
const app = express()
app.use(express.json())
const TODOIST_TOKEN = process.env.TODOIST_TOKEN
// Example endpoint to get active tasks from Todoist
app.get("/tasks", async (req, res) => {
const response = await fetch("https://api.todoist.com/rest/v2/tasks", {
headers: { "Authorization": `Bearer ${TODOIST_TOKEN}` }
})
const tasks = await response.json()
res.json(tasks)
})
// Example endpoint to create a new Todoist task
app.post("/tasks", async (req, res) => {
const body = { content: req.body.content || "New task from Replit" }
const response = await fetch("https://api.todoist.com/rest/v2/tasks", {
method: "POST",
headers: {
"Authorization": `Bearer ${TODOIST_TOKEN}`,
"Content-Type": "application/json"
},
body: JSON.stringify(body)
})
const result = await response.json()
res.json(result)
})
// Start server (bind to 0.0.0.0 for Replit)
app.listen(3000, "0.0.0.0", () => console.log("Server running on port 3000"))
4. Run and test your integration
/tasks path in your browser or using curl to see your current Todoist tasks.
5. Optional: Handle Todoist webhooks
/webhook endpoint in your Express app, verify the secret provided by Todoist, and log the incoming data.
/tmp folder and may restart processes, so store no permanent data there.
Done correctly, your Replit-Todoist integration behaves like any real API integration: a live running Repl, a Node/Express or Python/Flask server, credentials in Secrets, explicit API calls to Todoist’s endpoints, and clear webhook routing if you need live sync.
1
Connect your Replit project’s deployment pipeline to Todoist using its REST API. When you deploy your app or finish a workflow, your Repl can automatically create or update a Todoist task indicating the release state. Store your Todoist API token securely in Replit Secrets, then send HTTP requests from your server via fetch() or a library like axios. This helps smaller teams track operational work as part of their everyday development cycle while keeping all authentication data safe and persistent.
TODOIST_API_TOKEN — no tokens in code.https://api.todoist.com/rest/v2/tasks.// Create a Todoist task after deploy
import fetch from "node-fetch";
await fetch("https://api.todoist.com/rest/v2/tasks", {
method: "POST",
headers: {
"Authorization": `Bearer ${process.env.TODOIST_API_TOKEN}`,
"Content-Type": "application/json"
},
body: JSON.stringify({ content: "Deployment completed 🟢" })
});
2
Use Todoist as your lightweight task list while hosting an internal issue tracker in your Replit full-stack app. With a small Express.js server, you can connect the two: Todoist acts as your front-facing client to create or close tasks, and your Replit backend syncs data to a JSON-based project store (or external DB). This mirrors production workflows where Replit hosts the integration service, handling REST communication and persistence through explicit file storage or external APIs.
/sync endpoints.// Receive Todoist webhook in your Repl
import express from "express";
const app = express();
app.use(express.json());
app.post("/todoist-webhook", (req, res) => {
const event = req.body.event_name;
// Update your Repl issue tracker here
console.log("Todoist event:", event);
res.status(200).send("ok");
});
app.listen(3000, "0.0.0.0", () => console.log("Listening on port 3000"));
3
Build a custom dashboard hosted directly in Replit that visualizes Todoist data, helping you see project tasks alongside development metrics or server logs. Your app can periodically fetch from the Todoist API and display task categories, due dates, and priorities in real-time. With Replit Deployments, you can make this dashboard persistently available at a custom URL. This brings together your planning layer and your execution layer without external dependencies.
// Fetch and render tasks for dashboard
import fetch from "node-fetch";
const response = await fetch("https://api.todoist.com/rest/v2/tasks", {
headers: { "Authorization": `Bearer ${process.env.TODOIST_API_TOKEN}` }
});
const tasks = await response.json();
tasks.forEach(t => console.log(`${t.content} — ${t.due?.date || "No due date"}`));
Speak one‑on‑one with a senior engineer about your no‑code app, migration goals, and budget. In just half an hour you’ll leave with clear, actionable next steps—no strings attached.
1
In Replit, the secure way to store a Todoist API key is by using Replit Secrets. You don’t put your key directly in the code; instead, you add it as a secret, then access it through an environment variable inside your app. This way, the key stays hidden from public view, even if your Repl is public or shared. In your code, you can read it safely using process.env in Node.js or os.environ in Python.
// Example for Node.js in index.js
const todoistKey = process.env.TODOIST_API_KEY
// Use the key securely to call Todoist REST API
fetch("https://api.todoist.com/rest/v2/projects", {
headers: { "Authorization": `Bearer ${todoistKey}` }
})
.then(res => res.json())
.then(console.log)
Never log or share this value and avoid committing it to GitHub or other repos. Secrets in Replit are encrypted, isolated per Repl, and injected at runtime as environment variables, making this the correct production‑safe approach for credentials.
2
Most Todoist fetch failures in Replit happen because the request isn’t reaching Todoist correctly, usually due to missing HTTPS protocol, incorrect headers, or the token not being read properly from Replit Secrets (which are stored as environment variables). Even if the token is right, using localhost callback URLs, not awaiting the response, or sending the wrong Content-Type header can cause the API to reject the call.
https://api.todoist.com/rest/v2/.... Wrong protocol or typos break the call.Bearer YOUR\_TOKEN. Don’t concatenate quotes or spaces.TODOIST_TOKEN and access it using process.env.TODOIST_TOKEN.
// Example: working fetch to Todoist inside Replit Node.js Repl
const fetch = require("node-fetch")
const token = process.env.TODOIST_TOKEN
fetch("https://api.todoist.com/rest/v2/tasks", {
headers: { "Authorization": `Bearer ${token}` }
})
.then(res => res.json())
.then(console.log)
.catch(console.error)
This ensures correct headers, secure HTTPS, and reliable token access. If it still fails, log res.status and res.text() to see Todoist’s exact rejection reason.
3
You can schedule automatic sync between Todoist tasks and your Replit project by calling the Todoist REST API from a small Node.js or Python script, then letting Replit's Workflows feature trigger that script on a schedule. Replit itself doesn’t run background jobs automatically unless started via Workflows or an external service, so use either Replit Workflows' cron-like schedules or connect an external automation tool (like GitHub Actions or cron-job.org) to hit your Repl’s endpoint periodically.
import os, requests
TOKEN = os.environ["TODOIST_API_TOKEN"]
headers = {"Authorization": f"Bearer {TOKEN}"}
// Fetch tasks
r = requests.get("https://api.todoist.com/rest/v2/tasks", headers=headers)
tasks = r.json()
// Example: write task data to a file in the Repl
with open("tasks.json", "w") as f:
import json
json.dump(tasks, f, indent=2)
This approach gives you reliable automation within Replit’s constraints: your logic runs under Workflow control, credentials stay secured in Secrets, and sync results persist in files or an external DB.
Many developers store the access_token from Todoist’s OAuth flow in a Replit Secret and never refresh it. That token expires, and the integration silently fails. Todoist sends a refresh_token that you must exchange for a new access token before each API call fails. Replit has no long-running cron, so you need to refresh on-demand or use an external scheduler.
// Example token refresh
import fetch from "node-fetch";
async function refreshToken(){
const resp = await fetch("https://todoist.com/oauth/access_token", {
method: "POST",
headers: {"Content-Type": "application/x-www-form-urlencoded"},
body: new URLSearchParams({
client_id: process.env.TODOIST_CLIENT_ID,
client_secret: process.env.TODOIST_CLIENT_SECRET,
refresh_token: process.env.TODOIST_REFRESH_TOKEN,
grant_type: "refresh_token"
})
});
const data = await resp.json();
process.env.TODOIST_ACCESS_TOKEN = data.access_token; // temporary in memory
}
Developers often bind the server to localhost instead of 0.0.0.0. On Replit, a web server must listen on 0.0.0.0 with a specific port (from process.env.PORT) so Replit can route traffic. If you only bind to localhost, Todoist’s webhook can’t reach your endpoint, and events are never received.
import express from "express";
const app = express();
// Webhook endpoint for Todoist
app.post("/webhook", (req, res) => {
console.log("Webhook received");
res.sendStatus(200);
});
// Correct binding for Replit
app.listen(process.env.PORT || 3000, "0.0.0.0", () => {
console.log("Server running");
});
Putting client_id or client_secret directly into source code is unsafe. Replit’s storage makes the code visible, and forks or public Repls can leak secrets. Instead, use Replit Secrets so credentials exist only as environment variables. That prevents accidental exposure of the Todoist OAuth configuration.
// Safe usage through Replit Secrets
const clientId = process.env.TODOIST_CLIENT_ID;
const clientSecret = process.env.TODOIST_CLIENT_SECRET;
Todoist sends webhooks that include an X-Todoist-Hmac-SHA256 header to verify authenticity. Beginners often skip this, accepting any inbound request. That makes your integration vulnerable to fake payloads. You must compute the HMAC from the request body and compare it to the header using your Todoist client secret.
import crypto from "crypto";
function verifySignature(req){
const signature = req.headers["x-todoist-hmac-sha256"];
const computed = crypto
.createHmac("sha256", process.env.TODOIST_CLIENT_SECRET)
.update(JSON.stringify(req.body))
.digest("base64");
return signature === computed;
}
This prompt helps an AI assistant understand your setup and guide you through the fix step by step, without assuming technical knowledge.
From startups to enterprises and everything in between, see for yourself our incredible impact.
They do complex work on extremely fast timelines and effectively manage the testing and pre-launch process to deliver the best possible product. I'm extremely impressed with their execution ability.
