Which APIs actually work headless in CI? I tested 387 of them
Updated April 2026 · Based on CLIRank scoring of 387 APIs
TL;DR
After scoring 387 APIs: only 30% ship a first-party CLI. Only 40% allow pure env var auth with no browser step. Headless is the real bottleneck, not rate limits, not SDK quality. If your CI job needs to touch more than three external APIs, assume at least one will fight you.
What headless actually means
Headless in CI is stricter than "has an API". It means:
- You can authenticate with an environment variable, full stop.
- No browser opens. No QR code. No email verification link.
- Every side effect the job needs is reachable via HTTP or a CLI that runs non-interactively.
- Errors come back as structured JSON, not HTML pages.
If any one of those is missing, the API fails the headless test. It might still be usable with a one-time human setup, but it is not something an agent can wire up end to end.
The three failure modes
1. Browser OAuth redirects. The single biggest cause of CI pain. Google Drive, LinkedIn, Notion, and a long tail of consumer-facing APIs all default to 3-legged OAuth. Agents cannot click through consent screens. Workarounds exist (service accounts, PATs, app-level tokens) but you have to know to ask.
2. MFA prompts on admin actions. Some APIs let you read with a token but require MFA for write operations, or for key rotation. AWS root actions, Apple App Store Connect, and several bank APIs live here. The API is not the problem. The account policy is.
3. CLI-only or dashboard-only features. The most frustrating class. The feature exists, but only behind a GUI. Shopify custom-app tokens, Zoom webhook endpoint setup, Stripe radar rules: all have API gaps that force a human step.
Top 10 headless-friendly APIs
| API | Score | Why it works |
|---|---|---|
| Stripe | 10/10 | CLI + fixtures + webhook forwarder |
| Resend | 10/10 | Clean SDK, first-party CLI |
| Anthropic | 10/10 | Env var auth, no rate-limit friction |
| OpenAI | 10/10 | Env var auth, rich SDK |
| GitHub (via PAT) | 9/10 | PAT auth works in CI without OAuth dance |
| Cloudflare | 9/10 | wrangler CLI, API tokens, deploy from CI |
| Supabase | 9/10 | Service role key + CLI handles migrations |
| Vercel | 9/10 | vercel CLI works end-to-end in CI |
| Fly.io | 9/10 | flyctl, token auth, deploy from GitHub Actions |
| Postmark | 8/10 | Token auth, no browser required |
Top 10 APIs that fail headless
These APIs have value but force a human in the loop at some point. Budget for manual setup if you use them.
| API | Why it fails |
|---|---|
| Google Drive (user OAuth) | Interactive consent screen. Agents cannot click. |
| Instagram Graph API | OAuth + long-lived token refresh dance. Painful to script. |
| Notion (public) | Workspace-level OAuth. No pure API key path for personal use. |
| 3-legged OAuth with a 60-day token lifetime. | |
| TikTok for Developers | App review + OAuth + webhook verification via dashboard. |
| Apple App Store Connect | JWT signing with rotating keys + MFA for team access. |
| Zoom | OAuth default, and server-to-server is gated behind account tiers. |
| Microsoft Graph (personal) | Interactive sign-in required for consumer tenants. |
| Salesforce | OAuth + connected app setup that requires a human in Setup UI. |
| Shopify (custom apps) | Admin access-token generation is still dashboard-only per shop. |
The CI agent stack
If you are building an agent that runs in GitHub Actions, Fly Machines, or any serverless runner, these six APIs stack cleanly together and cover most of what a SaaS needs:
- Auth & DB: Supabase (service role key works headless)
- Payments: Stripe (CLI + fixtures + webhook forwarding)
- Email: Resend (single token, SDK, CLI)
- Hosting: Fly.io or Vercel (both deploy from CI with a token)
- LLM: Anthropic or OpenAI (env var, rate limits survive scripted use)
- Storage: Cloudflare R2 (S3-compatible, API token auth)
Every single one of those scores 9/10 or higher on CLIRank. That is not an accident. The ecosystem that agents are actually being built on has self-selected for headless.
How to test an API for headlessness before you commit
Before you wire a new API into production, run this five-step check:
- Sign up, then try to get an API key from curl alone. If you had to click a button labelled "Enable API", that is already a yellow flag.
- Hit the simplest endpoint with just an env var. No OAuth flow, no session cookie. If that returns 401, the API is not ready for CI.
- Read the rate-limit docs.If the limit is "60 per minute per user" with no separate service tier, you will hit it in a week of real traffic.
- Look for a CLI. A first-party CLI is a strong signal that the vendor cares about scripted use.
- Check webhook testing. If the only way to test a webhook is to expose localhost, the dev loop in CI is going to be miserable.
Bottom line
Headlessness is a hard filter. Most APIs claim it, few deliver it. When you are picking infra for an agent, assume every third-party dependency will be the thing that breaks your CI. Stick to the 30% that ship a real CLI and pure env var auth. The rest can stay in the browser where they belong.