| Endpoint | https://api.app.lastaccountingcompany.com/mcp |
| Transport | Streamable HTTP, stateless (MCP spec 2025-11-25) |
| Auth | OAuth (hosted clients) or a portal API key as a bearer token: Authorization: Bearer lac_sk_... |
Authentication
Two ways in:- OAuth — for hosted clients like claude.ai and ChatGPT. Add the endpoint URL in your assistant’s connector settings; it walks you through signing in with your normal LAC portal account (Google) and authorizing. On the consent screen you pick which business the connection is for — accounts with access to multiple businesses choose one business per connection. OAuth connections act with operator access: they can read the books and statements, upload documents, draft and send invoices, and message Björn — never approve payroll, change company settings, or manage access or keys, no matter your own portal role.
- Portal API key — for clients that send custom headers (Claude Code, Cursor, VS Code, the OpenAI Responses API, anything speaking streamable HTTP). Create one in Settings → API access (see getting started) and send it as a bearer token. Like OAuth connections, keys are minted per business. The tools you see follow the key’s scope: read-scope keys see only the read tools; write-scope keys see all 31.
Connect a client
claude.ai (web)
In claude.ai: Settings → Connectors → Add custom connector, and enter:ChatGPT (web)
In ChatGPT: Settings → Connectors (requires developer mode / a plan with custom connectors) → add the same URL. ChatGPT runs the same OAuth sign-in.Claude Code
Cursor
Add to~/.cursor/mcp.json (or the project’s .cursor/mcp.json):
VS Code
Add to.vscode/mcp.json in your workspace:
OpenAI API (Responses)
Generic JSON
For any client that takes a standard MCP server config:Tool reference
31 tools (18 read / 13 write). Read tools are available to every key; write tools appear only for write-scope keys and OAuth connections.Read tools (all keys)
| Category | Tool | Description |
|---|---|---|
| Company | get_company_profile | Company profile: name, business ID (Y-tunnus), VAT period cadence. |
| Company | get_overview | Dashboard in one call: key metrics, attention items, books readiness. |
| Company | get_agent_status | Björn’s live status and document-ingest progress. |
| Books | get_books | General-ledger rows, paginated; range accepts YYYY-MM, YYYY-Qn, YYYY, or this_month. |
| Books | get_vat | The VAT view for a period. |
| Statements | get_financial_statements | Income statement, balance sheet, or cash-flow statement as a nested tree of lines. |
| Statements | drill_statement_line | The transactions behind one or more account codes on a statement line. |
| Statements | get_analytics | Time series over the books for a range. |
| Documents | list_documents | Uploaded evidence and the ingest state of each document. |
| Messaging | list_messages | The conversation history with Björn; limit returns the most recent N messages (default 50). |
| Filings | get_filings | VAT preview, drafts, filed returns, and the standing authorization state. |
| Filings | list_output_packages | Published VAT, financial-statement, and CIT output packages. |
| Invoicing | list_invoices | Sales invoices with their statuses; limit caps each list (default 100). |
| Invoicing | get_invoice | One invoice in full detail. |
| Invoicing | list_invoice_customers | The billing-customer party book. |
| Invoicing | list_recurring_invoices | Recurring invoice templates. |
| Connections | list_connections | Health of bank, Stripe, Procountor, Fennoa, inbox, and Sheets connections. |
| Imports | list_imports | Migration/import runs and their statuses. |
Write tools (write-scope keys)
| Category | Tool | Description |
|---|---|---|
| Documents | upload_documents | Upload base64-encoded files into the document-ingest pipeline. |
| Documents | update_document | Rename a document or attach a context note for bookkeeping. |
| Documents | delete_document | Delete an uploaded document. Destructive. |
| Messaging | send_message | Send a message to Björn, the AI accountant. |
| Filings | request_filing_review | Ask LAC to review a filing period. |
| Filings | set_filing_authorization | Set or withdraw the standing authorization for LAC to file on the company’s behalf. |
| Invoicing | create_invoice_draft | Draft a sales invoice (amounts in cents, VAT rates in basis points); drafting never sends anything. |
| Invoicing | send_invoice | Send a drafted invoice to the customer. Destructive: external delivery. |
| Invoicing | create_credit_note | Create a credit note against a sent invoice. Destructive. |
| Invoicing | request_payment_reminder | Request a payment reminder for an open invoice. |
| Invoicing | upsert_invoice_customer | Create or update a billing customer in the party book. |
| Connections | trigger_connection_sync | Trigger a data sync on an existing connection. |
| Connections | request_service_connection | Ask LAC to set up a service connection, e.g. a Suomi.fi mandate. |
Security
- Use read-only keys for analysis agents. A key with
readscope exposes only the 18 read tools — the agent physically cannot send an invoice or delete a document. - Keep a human in the loop for destructive tools.
send_invoice,create_credit_note, anddelete_documentare annotated destructive in the tool definitions; configure your client to require confirmation before calling them (most clients respect the annotation by default). - Mind prompt injection when combining servers. If an agent has the LAC server alongside other MCP servers or web access, content fetched from elsewhere could try to steer it into calling LAC write tools. Prefer read-only keys in mixed-tool setups, and review write actions.
- Revoke instantly. Keys are revoked in the portal under Settings → API access; a revoked key loses MCP access immediately. OAuth connections end when you disconnect the connector in the client.
- API keys are company credentials, not personal ones — they keep working if the person who created them leaves. Revoke or rotate keys in Settings → API access when an admin departs.
- Tenant isolation and audit. Every tool call is scoped to the key’s company and audited, like every REST request.
What’s deliberately not exposed
Some actions require an interactive admin or approver in the portal and are not available as MCP tools or to API keys at all:- Payroll entirely (read and write) — payroll data and actions require an admin/approver in the portal UI.
- Company settings changes.
- Member and access management — inviting people, changing roles.
- API key management — a key can never mint or revoke keys.