REST API — Introduction

The LedgerLou REST API gives direct, deterministic access to the GoBD-compliant general ledger. All endpoints are scope-protected, append-only-safe, and fully audited.

Base URL

https://api.ledgerlou.com

All endpoints start with /v1/. The full path for a request is therefore, for example, https://api.ledgerlou.com/v1/journal/bookings.

Authentication

Every request must include a valid API key in the Authorization header:

Authorization: Bearer ll_<your-api-key>

API keys always start with the ll_ prefix and are issued in the Dashboard under Settings → API keys. Requests without a valid key are rejected with 401 Unauthorized.

curl https://api.ledgerlou.com/v1/journal/bookings \
  -H "Authorization: Bearer ll_abc123..."

await fetch('/v1/journal/bookings', {
  headers: {
    Authorization: `Bearer ${apiKey}`
  }
});

Scopes

Every API key carries a list of scopes in the format module:action. Without the matching scope, the server returns 403 Forbidden — regardless of whether the key is valid.

For every endpoint, this reference shows next to the method badge which scope is required. Detailed scope table: Auth & Scopes.

Query parameters

GET endpoints accept filter and pagination parameters as a URL query string. Parameters are introduced with ? and joined with &:

GET /v1/journal/bookings?from=2026-01-01&to=2026-01-31&limit=50

Values must be URL-encoded. Strings with special characters (for example spaces in search terms) are encoded with encodeURIComponent():

GET /v1/accounts/search?q=Vorsteuer%2019%25

Response format

All responses are JSON. Successful requests return the HTTP status code 200 (or 201 for created resources). Errors follow this format:

{
  "error": "Short error description",
  "details": [ ... ]  // optional, for validation errors
}

Rate limiting

Default limit: 300 requests per minute per API key. Auth endpoints (login, token) are limited to 10 requests per minute. On exceeding: 429 Too Many Requests with header Retry-After.