> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lastaccountingcompany.com/llms.txt
> Use this file to discover all available pages before exploring further.

# API reference

> Conventions, authentication, and boundaries for the LAC customer REST API.

The LAC portal API, endpoint by endpoint. Every endpoint is documented from the machine-readable source of truth, [openapi.yaml](https://docs.lastaccountingcompany.com/openapi.yaml) — browse them in the sidebar. New here? Start with [getting started](/).

## Conventions

**Base URL**: `https://api.app.lastaccountingcompany.com/portal`

* **Auth**: `Authorization: Bearer lac_sk_...` on every request. Keys are created in the portal (Settings → API access) and carry a `read` or `write` scope. All `GET` endpoints need `read` and all mutations need `write` — except payroll, where **every** endpoint (reads included) is **not for API keys**; those and a few other endpoints return `403` because they need an interactive admin or approver in the portal.
* **JSON** in and out, `snake_case` fields.
* **Amounts** are integer cents. **Rates** are basis points (`2550` = 25.5%). **Periods** are `YYYY-MM`.
* **Ranges**: `YYYY-MM` | `YYYY-Qn` | `YYYY` | `all` | `this_month` | `last_6_months`.
* **`customer_id`** is an optional parameter everywhere — API keys are pinned to one company, so you can omit it.
* **Errors**: non-2xx status with a body of `{"error": "...", "detail": "..."}` (`401` missing/invalid token, `403` insufficient scope or role, `404` not found, `422` validation failure).

## Limits

* Document uploads: at most **20 files** and **25 MB** per request.
* Sheet pagination: `limit` is capped at **200** rows per page.

## Not for API keys

Some endpoint families serve the portal UI and require an interactive admin or approver session (Firebase token); API keys receive `403`:

* **Payroll** — every payroll endpoint, reads included.
* **Company settings** — `POST /company/settings`.
* **API key management** — `GET/POST /api-keys`, `DELETE /api-keys/{key_id}`. A key can never mint or revoke keys.

API keys are company credentials, not personal ones — they keep working if the person who created them leaves. Revoke or rotate keys in Settings → API access when an admin departs.
