Lawfficient API

Authentication

Authenticate requests with a per-firm API key sent as a Bearer token.

Every request authenticates with a per-firm API key, sent as a Bearer token:

curl https://app.lawfficient.com/api/leads \
  -H "Authorization: Bearer $LAWFFICIENT_API_KEY"

The key resolves your firm server-side — a firm id is never read from the request body or query, so a key can only ever touch its own firm's data.

Keys and scopes

A key carries one or more scopes that gate what it can do:

ScopeGrants
leads:readList and fetch leads
leads:writeCreate, update, archive, and restore leads
consultations:readList and fetch consultations
consultations:writeBook, reschedule, and cancel consultations

Keys are stored hashed — only a SHA-256 hash and the last four characters are kept, so the raw key is shown once at creation and can't be recovered. Treat it like a password: keep it on the server, never ship it in client-side code.

A NEXT_PUBLIC_-style or browser-embedded key is a leaked key. Call the API from your backend.

Creating a key

An admin (with Manage settings) mints keys in Settings → Integrations → Developer access → API keys. Pick a name and the scopes it needs — read-only by default — then copy the key: it's shown once (prefix lak_) and can't be retrieved afterward. Disable or delete a key from the same screen to revoke it immediately.

Failure modes

StatuscodeMeaning
401missing_keyNo Authorization: Bearer header
401invalid_keyThe key doesn't match any active key
403key_disabledThe key exists but has been disabled
403insufficient_scopeThe key lacks the scope this endpoint requires

All errors follow the error envelope.

On this page