Skip to main content
Everything a customer can do in the LAC portal at app.lastaccountingcompany.com is available programmatically: read the general ledger, pull VAT positions and financial statements, upload documents, draft and send invoices, check your connections — and talk to Björn, the AI accountant who keeps your books. One REST API, and the same capabilities as an MCP server for AI agents.

What the API is

LAC runs your company’s accounting as a service. The API is a window into that service — the same one the portal uses. It is read-heavy by design: your books are produced by LAC, and the API lets you read them in full and feed evidence and instructions back in.
  • Books & GL — canonical general-ledger rows, paginated, by month, quarter, or year.
  • VAT — per-period VAT view, previews, drafts, and filed returns.
  • Financial statements — income statement, balance sheet, and cash flow, with drill-down to the transactions behind any line.
  • Documents — upload receipts, invoices, and contracts as evidence; track ingest state.
  • Björn — message the AI accountant and read the conversation.
  • Filings — review requests, standing filing authorization, published output packages.
  • Invoicing — draft, send, credit, and remind; manage billing customers and recurring templates.
  • Payroll — stays in the portal: payroll data and actions require an interactive admin/approver in the portal UI and are not available to API keys.
  • Connections — health and syncs for bank, Stripe, Procountor, Fennoa, inbox, and Sheets connections.

Get an API key

API keys are created in the portal: Settings → API access. Only company admins can create them. Each key:
  • starts with lac_sk_ and is shown once at creation — store it immediately;
  • is pinned to one company, so you never pass a company identifier (accounts with multiple businesses mint one key per business);
  • carries one scope, read or write;
  • can be revoked at any time from the same settings page.

Scopes

ScopeWhat it allows
readRead-only access to everything: books, VAT, statements, analytics, documents, messages, filings, invoices, connections, imports.
writeEverything read allows, plus operator-level actions: upload documents, message Björn, draft and send invoices, request filing reviews, trigger connection syncs.
Even a write key can never touch payroll (payroll stays in the portal), change company settings, grant portal access, or manage API keys. Those require an interactive admin or approver signed in to the portal.

Quickstart

Authenticate every request with your key as a bearer token. Fetch your company overview:
curl -H "Authorization: Bearer lac_sk_..." \
  https://api.app.lastaccountingcompany.com/portal/overview
Read June’s general ledger:
curl -H "Authorization: Bearer lac_sk_..." \
  "https://api.app.lastaccountingcompany.com/portal/sheet?tab=books&range=2026-06"
Ask Björn a question:
curl -X POST \
  -H "Authorization: Bearer lac_sk_..." \
  -H "Content-Type: application/json" \
  -d '{"text": "Which purchases are still missing receipts for June?"}' \
  https://api.app.lastaccountingcompany.com/portal/messages
From here, the API reference covers every endpoint, and the MCP page connects the same capabilities to Claude, Cursor, VS Code, or your own agents.

Base URL

https://api.app.lastaccountingcompany.com/portal

Conventions

  • JSON in and out, snake_case field names.
  • Amounts are integer cents; rates are basis points (2550 = 25.5%, the Finnish standard VAT rate).
  • Periods are YYYY-MM; ranges accept YYYY-MM, YYYY-Qn, YYYY, all, this_month, or last_6_months.
  • Errors return a non-2xx status with {"error": "...", "detail": "..."}.
  • customer_id is optional everywhere — API keys are pinned to one company.

Keep your keys safe

  • Store keys in environment variables or a secret manager — never in source code, config files under version control, or client-side code.
  • Use read scope unless you need writes. Analysis, dashboards, and reporting agents should run on read-only keys.
  • Revoke on suspicion. Any admin can revoke a key instantly in Settings → API access; issue a new one afterwards.
  • API keys are company credentials, not personal ones — they keep working if the person who created them leaves. Revoke or rotate keys in Settings → API access when an admin departs.
  • Every action is tenant-isolated and audited. A key can only ever see and touch its own company, and every request is attributed to the key that made it.