Reference
LiveProfit Public API v1
REST endpoints for merchants and integrators. Read orders, P&L, product analytics, cohorts, LTV. Manage custom expenses and outbound webhooks. Available on the Scale plan; free for the 3 internal Luxi Horizon stores during beta.
Overview
Base URL: https://app.liveprofit.io/v1
Media type: application/json — request bodies and responses.
All requests are HTTPS. Non-HTTPS calls return 400.
Authentication
Create an API key in Settings → Developer. Keys look like lp_live_<40 hex> and are shown once at creation. Store safely — we hash-only at rest.
Send the key either way:
# Authorization header (recommended) curl -H "Authorization: Bearer lp_live_xxxx" \ https://app.liveprofit.io/v1/orders # X-API-Key header curl -H "X-API-Key: lp_live_xxxx" \ https://app.liveprofit.io/v1/orders
Keys are store-scoped — no store_id query param needed. Scopes:
| Scope | Grants |
|---|---|
read | All GET endpoints |
write | read + POST /v1/expenses, POST /v1/webhooks |
admin | Everything, incl. deleting subscriptions |
Rate limits
300 requests/minute per API key, rolling window. Exceeded limits return 429 Too Many Requests with a Retry-After header (seconds).
Response envelope
Success:
{
"data": { ... },
"pagination": { "total": 1234, "limit": 50, "offset": 100 }
}
Error:
{ "error": { "code": "invalid_scope", "message": "This key doesn't have write access." } }
Orders
GET /v1/orders
List orders in a date range.
Query params: from, to (YYYY-MM-DD, default last 30 days), status (PAID · PARTIALLY_REFUNDED · REFUNDED), limit (≤250, default 50), offset.
curl -H "X-API-Key: $KEY" \ "https://app.liveprofit.io/v1/orders?from=2026-06-01&to=2026-06-30&status=PAID&limit=100"
Order fields (no customer PII): id, name, created_at, date, status, total_price, total_refunded, cogs, discounts, shipping, transaction_fees.
GET /v1/orders/{id}
Single order including line_items — title, variant, qty, unit_price, unit_cost.
Products
GET /v1/products
Per-product analytics over from/to: revenue, COGS, attributed ad spend, net profit, margin, ROAS (uses the store's configured attribution model).
Analytics
GET /v1/analytics/dashboard
Same numbers as the dashboard UI.
Returns: { metrics, daily, display_currency }. metrics includes netProfit, grossRevenue, cogs, adSpend (+ per platform), customExpenses, roas, breakEvenRoas, margin.
GET /v1/analytics/pnl
Monthly rollup rows: month, gross_revenue, refunds, net_revenue, cogs, ad_spend, transaction_fees, custom_expenses, net_profit.
GET /v1/analytics/cohorts
Cohort rows with per-month retention + revenue. Query: months_back (default 12).
GET /v1/analytics/ltv
avg_ltv_30d / 90d / 365d / lifetime, avg_orders_per_customer, repeat_rate, customers_tracked.
Custom expenses
GET /v1/expenses
List all recurring & one-off expenses for the store.
POST /v1/expenses requires write
Body:
{
"name": "Office rent",
"category": "overhead",
"amount": 1200,
"currency": "CHF",
"frequency": "monthly",
"active_from": "2026-01-01",
"active_to": null
}
frequency ∈ once, daily, weekly, monthly, yearly.
Ad platforms
GET /v1/ad-platforms
Connection state per platform (no tokens returned). Fields: platform, ad_account_id, ad_account_name, connected_at, expires_at.
Outbound webhooks
GET /v1/webhooks
List active subscriptions for the store.
POST /v1/webhooks requires write
Body: { url, events, include_pii? }. url must be HTTPS. events is a comma-separated string from:
order.createdanomaly.criticalsync.failedreport.sentthreshold.breached
Response returns the signing secret — shown once. Store it.
Delivery signature
Every delivery includes:
Content-Type: application/json X-LiveProfit-Event: order.created X-LiveProfit-Signature: sha256=<hex hmac-sha256(rawBody, secret)>
Verify (Node.js):
const crypto = require('crypto');
const expected = 'sha256=' + crypto
.createHmac('sha256', SECRET)
.update(rawBody)
.digest('hex');
const valid = crypto.timingSafeEqual(
Buffer.from(header),
Buffer.from(expected)
);
Body shape: { event, store_id, timestamp, data }.
Retries & auto-disable
5xx/network errors retried at 2s / 10s / 30s. After 20 consecutive failures, the subscription auto-disables — re-enable in Settings → Developer. PII fields are stripped from payloads unless the subscription was created with include_pii: true.
Zapier & Make
Search LiveProfit in Zapier or import the Make blueprint. Both authenticate with your API key. Available triggers use the same webhook events listed above. Actions cover add_expense, get_dashboard, get_products.
Versioning
The /v1 namespace guarantees non-breaking additions only. Breaking changes go to /v2. Deprecations get a Sunset header 6 months in advance.
Something unclear? Email support@liveprofit.io — a human answers within 24h.