API Keys & Public API
Lumabill offers a public REST API that lets you automate invoicing, expenses, bookkeeping, and more. The API is available to Pro and Lifetime subscribers.
The API is a Pro feature. Upgrade your plan under Subscription & Modules to unlock access.
Creating an API Key
- Go to Settings > API in the Lumabill dashboard
- Click Create API Key
- Enter a label (e.g. "Zapier integration" or "n8n automation")
- Choose the access mode:
- Read & Write — full access to create, update, and delete data
- Read Only — can only read data, ideal for reporting or AI/MCP integrations
- Optionally, scope the key to a specific profile
- Click Create — the key is displayed once. Copy it immediately and store it securely.
You can create up to 10 API keys per account. Only the account owner can manage API keys.
Authentication
All API requests require a Bearer token in the Authorization header:
Authorization: Bearer lmb_your_api_key_here
API keys start with the prefix lmb_.
Profile Scoping
If your key is scoped to a specific profile, all requests automatically use that profile. If your key has access to all profiles, add the X-Profile-Id header:
X-Profile-Id: your-profile-uuid
Use GET /v1/profiles to list available profiles.
Smart Defaults
When creating invoices or offers, most fields are optional. The API auto-resolves them from your profile settings:
| Field | Auto-resolved from |
|---|---|
| Invoice number | Profile prefix + sequential counter (e.g. IV-010) |
| Issue date | Today |
| Due date | Issue date + payment deadline (default 30 days) |
| Currency | Profile default currency |
| Tax rate | Profile default tax rate |
| Sender details | Profile company name, address, IBAN |
| Payment info | Profile payment template |
Minimal example — create an invoice with just a client reference and line items:
POST /v1/invoices
{
"client_id": "your-client-uuid",
"lines": [
{ "description": "Consulting", "quantity": 2, "price": 150 }
]
}
Any field you explicitly provide overrides the profile default.
Rate Limits
| Operation | Limit |
|---|---|
| Reads (GET) | 60 requests/minute |
| Writes (POST, PUT, DELETE) | 20 requests/minute |
Exceeding the limit returns 429 Too Many Requests with a Retry-After header.
API Documentation
Full interactive API documentation (Swagger UI) is available at:
The documentation covers all endpoints, request/response schemas, error codes, and includes examples for common operations.
Available Endpoints
| Resource | List | Get | Create | Update | Delete |
|---|---|---|---|---|---|
| Invoices | GET | GET | POST | PUT | DELETE |
| Clients | GET | GET | POST | PUT | DELETE |
| Expenses | GET | GET | POST | PUT | DELETE |
| Journal entries | GET | GET | POST | PUT | DELETE |
| Vendors | GET | GET | POST | PUT | DELETE |
| Recurring invoices | GET | GET | POST | PUT | DELETE |
| Offers | GET | GET | POST | PUT | DELETE |
| Catalog | GET | GET | POST | PUT | DELETE |
| Bank accounts | GET | GET | POST | PUT | DELETE |
| Profiles | GET | GET | — | — | — |
| Reports | GET | GET | — | — | — |
| Revenue | GET | — | — | — | — |
Revoking a Key
- Go to Settings > API
- Find the key in the list
- Click Revoke and confirm
Revoked keys are immediately invalidated. Any requests using a revoked key will receive a 401 Unauthorized response.
Security Best Practices
- Never share API keys in client-side code, public repositories, or browser JavaScript
- Use read-only keys for integrations that only need to fetch data
- Scope keys to a single profile when the integration only needs access to one company
- Rotate keys periodically — revoke old keys and create new ones
- Store keys in environment variables or a secrets manager, never in plain text files