Skip to main content
The LAC portal API, endpoint by endpoint. Every endpoint is documented from the machine-readable source of truth, openapi.yaml — browse them in the sidebar. New here? Start with getting started.

Conventions

Base URL: https://api.app.lastaccountingcompany.com/portal
  • Auth: Authorization: Bearer lac_sk_... on every request. Keys are created in the portal (Settings → API access) and carry a read or write scope. All GET endpoints need read and all mutations need write — except payroll, where every endpoint (reads included) is not for API keys; those and a few other endpoints return 403 because they need an interactive admin or approver in the portal.
  • JSON in and out, snake_case fields.
  • Amounts are integer cents. Rates are basis points (2550 = 25.5%). Periods are YYYY-MM.
  • Ranges: YYYY-MM | YYYY-Qn | YYYY | all | this_month | last_6_months.
  • customer_id is an optional parameter everywhere — API keys are pinned to one company, so you can omit it.
  • Errors: non-2xx status with a body of {"error": "...", "detail": "..."} (401 missing/invalid token, 403 insufficient scope or role, 404 not found, 422 validation failure).

Limits

  • Document uploads: at most 20 files and 25 MB per request.
  • Sheet pagination: limit is capped at 200 rows per page.

Not for API keys

Some endpoint families serve the portal UI and require an interactive admin or approver session (Firebase token); API keys receive 403:
  • Payroll — every payroll endpoint, reads included.
  • Company settingsPOST /company/settings.
  • API key managementGET/POST /api-keys, DELETE /api-keys/{key_id}. A key can never mint or revoke keys.
API keys are company credentials, not personal ones — they keep working if the person who created them leaves. Revoke or rotate keys in Settings → API access when an admin departs.