Getting Started
The simple REST API enables developers to quickly integrate their
applications. API services are actively developing to provide more
complete functionality.
All entity IDs are 64-bit integers. JavaScript clients must handle them carefully to avoid silent precision loss. See JavaScript / TypeScript Integration for details.
Authentication
Lofty supports two methods for API authentication: OAuth 2.0 and API Key.
1. OAuth 2.0 (Recommended for Third-Party Integrations)
OAuth 2.0 allows secure integrations between third-party applications and Lofty without sharing passwords. To obtain an access_token, please refer to the Lofty OAuth2.0 documentation. When making API calls with OAuth 2.0, include the following headers:
| Header | Value |
|---|---|
| Content-type | application/json |
| Authorization | Bearer [access_token] |
Each OAuth access token is scoped to a specific set of APIs. Calling an endpoint that your application has not been granted access to will return error code 200100 ("Sorry, the vendor does not have permission for this API.") — even if the token itself is valid. If you need access to an additional endpoint, grant it to your application in the Developer portal.
2. API Key (Use with Caution)
Lofty also supports API connections using an API Key, available at: Settings > Integrations > API on each user's lofty account When making API calls with an API Key, include the following headers:
| Header | Value |
|---|---|
| Content-type | application/json |
| Authorization | token [API_KEY] |
Disclaimer: API keys must remain internal, with restricted scope, and must not be shared with external vendors. The API Key method is less recommended because:
- It is not subject to security assessments or automatic expiration.
- The client assumes full responsibility for managing the API key’s usage and security.
- Lofty strongly recommends using OAuth 2.0 whenever possible for better security and control.