# LedgerSync > Connect your users' bank accounts and pull their transactions, statements, and balances through one uniform API. ## Docs - [Get an account](https://docs.ledgersyncappv2.com/api-reference/accounts/get-an-account.md): Look up a single Account by id. Returns name, type, current balance, mask (last 4 of the account number), and the Connection it came from. - [List accounts](https://docs.ledgersyncappv2.com/api-reference/accounts/list-accounts.md): List every Account across all of your Clients. Filter to one Client, one Connection, or one source if you only want a subset. Balances on each Account reflect the most recent refresh — check `last_refreshed_at` to see how fresh that is. - [Create an API key](https://docs.ledgersyncappv2.com/api-reference/apikeys/create-an-api-key.md): Mint a new API key for one environment. The plaintext `secret` is returned exactly once in this response — store it somewhere safe (a secrets manager, an env var on your server) right away. We only keep a hash on our side, so we can't recover it for you later. - [List your API keys](https://docs.ledgersyncappv2.com/api-reference/apikeys/list-your-api-keys.md): All keys belonging to your customer. The plaintext secret isn't returned — keys are identified by their prefix and the `id`. Filter by `environment` (`sandbox` or `live`) when you're managing them separately. - [Revoke an API key](https://docs.ledgersyncappv2.com/api-reference/apikeys/revoke-an-api-key.md): Immediately stop accepting requests signed by this key. There's no undo — if you revoked the wrong one, just create a new key. Any in-flight requests already past auth keep running. - [Create a client](https://docs.ledgersyncappv2.com/api-reference/clients/create-a-client.md): Create a Client (your end-user) before linking any bank accounts. The only field we need is something to identify them — use `external_id` to join back to a user record in your system, plus optional `email` and `name` for display. - [Create a hosted pick-and-connect link for a client](https://docs.ledgersyncappv2.com/api-reference/clients/create-a-hosted-pick-and-connect-link-for-a-client.md): Returns a LedgerSync-hosted URL you email to an end-user (a member). They open it, search for their own bank, pick it, and connect it — no `institution_id` needed up front. This is the v3 replacement for the old "add/lite" widget for integrators who don't want to build their own bank picker. - [Delete a client and everything attached](https://docs.ledgersyncappv2.com/api-reference/clients/delete-a-client-and-everything-attached.md): Destructive. Removes the Client, every Connection they own, and all derived accounts / transactions / statements. This also revokes any active aggregator-side authorizations. - [Get a client](https://docs.ledgersyncappv2.com/api-reference/clients/get-a-client.md): Fetch a single Client by id. Returns everything you sent at creation plus the LedgerSync-assigned `id` and timestamps. - [List clients](https://docs.ledgersyncappv2.com/api-reference/clients/list-clients.md): Page through the Clients you've created. Use `cursor` for pagination (it's opaque — just hand back what we sent) and filter by `email` to look up a specific user. - [Mint a short-lived end-user token](https://docs.ledgersyncappv2.com/api-reference/clients/mint-a-short-lived-end-user-token.md): A few endpoints act on behalf of a specific end-user — for example, submitting an MFA challenge during connection setup. Those use a different credential than your normal API key: a short-lived (5-minute) bearer token bound to one Client. - [Revoke a hosted connect link](https://docs.ledgersyncappv2.com/api-reference/clients/revoke-a-hosted-connect-link.md): Invalidate a previously created connect link so it can no longer be opened. Scoped to your account: an unknown, already-revoked, or foreign session returns `404`. - [Update a client](https://docs.ledgersyncappv2.com/api-reference/clients/update-a-client.md): Partial update — send only the fields you want to change. Omitted fields stay as they are. Useful for keeping `name` or `metadata` in sync with your own user record. - [Disconnect and remove a connection](https://docs.ledgersyncappv2.com/api-reference/connections/disconnect-and-remove-a-connection.md): Revokes our access to the user's bank for this connection and removes the Connection record. Accounts and transactions are kept for your historical reference unless you delete the whole Client. - [Get a connection](https://docs.ledgersyncappv2.com/api-reference/connections/get-a-connection.md): Look up a Connection by id. The `status` field tells you where it is in its lifecycle and `last_error` carries any recent failure details. - [LedgerSync-hosted MX Connect wrapper page (browser-facing)](https://docs.ledgersyncappv2.com/api-reference/connections/ledgersync-hosted-mx-connect-wrapper-page-browser-facing.md): Browser-facing HTML page — **not** an integrator API call. When a connection routes to MX, the `widget_url` action returned by `POST /clients/{client_id}/connections` points here (MX Connect has no native post-Connect redirect of its own). Open it in the user's browser or iframe it, exactly like Fin… - [LedgerSync-hosted pick-and-connect page (browser-facing)](https://docs.ledgersyncappv2.com/api-reference/connections/ledgersync-hosted-pick-and-connect-page-browser-facing.md): Browser-facing HTML page — **not** an integrator API call. A member lands here when they open the `url` returned by `POST /clients/{client_id}/connect-session`. They search for their own bank, pick it, and are handed off to the per-source connect widget (Finicity Connect / the MX wrapper page / the… - [List a client's connections](https://docs.ledgersyncappv2.com/api-reference/connections/list-a-clients-connections.md): List every Connection a Client has linked. Filter by `source` (Finicity / MX / FDE) or by `status` to find the connections you care about — for example, all `requires_action` connections so you can nudge the user back into the widget. - [Refresh a connection](https://docs.ledgersyncappv2.com/api-reference/connections/refresh-a-connection.md): Force a re-pull of accounts and recent transactions for this Connection. Banks usually post new transactions once a day so we already refresh active connections automatically — call this only when you have a specific reason to need fresher data (user just clicked a "refresh" button, you're reconcili… - [Start a new bank connection](https://docs.ledgersyncappv2.com/api-reference/connections/start-a-new-bank-connection.md): Kick off a connection between a Client and a bank. Send only `institution_id` (a v3 catalog id from `GET /v3/institutions`). LedgerSync's router picks the underlying source (Finicity vs MX) per its routing rules — integrators don't pick a source. - [Verify a redirect-token (ls_token) from the post-Connect callback](https://docs.ledgersyncappv2.com/api-reference/connections/verify-a-redirect-token-ls_token-from-the-post-connect-callback.md): Public, unauthenticated endpoint. After a Finicity Connect widget completes, the integrator's `redirect_url` is hit with an `ls_token` query parameter — a short-lived HS256 JWT minted by v3. The integrator's frontend POSTs that token to this endpoint to retrieve the canonical `connection_id`, the or… - [Service health check](https://docs.ledgersyncappv2.com/api-reference/health/service-health-check.md): Returns `200` when the service is alive. Unauthenticated. - [Get one institution by v3 catalog id](https://docs.ledgersyncappv2.com/api-reference/institutions/get-one-institution-by-v3-catalog-id.md): Returns the v3 catalog row for a single institution, including provider routing metadata, supported product capabilities, and the integrator-facing name and logo. Use this after a search to confirm the selected institution before opening a connection. - [List or search the unified institution catalog](https://docs.ledgersyncappv2.com/api-reference/institutions/list-or-search-the-unified-institution-catalog.md): Returns rows from the unified v3 institution catalog. Each row carries a v3 catalog id (`ins_...`) and a `capabilities` block advertising what LedgerSync can deliver (OAuth, transactions, statements, check images) for this institution. - [API request volume, error rate, and latency percentiles](https://docs.ledgersyncappv2.com/api-reference/metrics/api-request-volume-error-rate-and-latency-percentiles.md): Aggregated traffic snapshot for the authenticated customer + environment over the requested window. Returns total volume, success vs error counts, p50/p95 latency in milliseconds, and the 10 most-trafficked `method + path` combinations. - [Bucketed time-series for one metric](https://docs.ledgersyncappv2.com/api-reference/metrics/bucketed-time-series-for-one-metric.md): Returns a dense (gap-filled) time-series for the requested metric. The portal renders this directly into a line/area chart without client-side reindexing. - [Connection counts broken down by health state](https://docs.ledgersyncappv2.com/api-reference/metrics/connection-counts-broken-down-by-health-state.md): Donut-chart fuel: how many of your active connections fall in each health bucket (`HEALTHY`, `NEEDS_REAUTH`, `FAILING`, `DISCONNECTED`). Buckets with zero count are still returned so the chart can render an empty-state outline. - [Headline counts for the portal tile grid](https://docs.ledgersyncappv2.com/api-reference/metrics/headline-counts-for-the-portal-tile-grid.md): Six aggregated counts powering the at-a-glance tile grid: total clients, active connections, linked accounts, statements and transactions in the window, and the count of accounts the proactive-staleness job has flagged. - [Top-N institutions ranked by count or failure rate](https://docs.ledgersyncappv2.com/api-reference/metrics/top-n-institutions-ranked-by-count-or-failure-rate.md): Returns the top-N institutions ordered by the requested key. - `by=connection_count` (default) ranks by active connection count. - `by=failure_rate` ranks by ratio of failed refreshes in window. - [Webhook delivery volume, success rate, and latency](https://docs.ledgersyncappv2.com/api-reference/metrics/webhook-delivery-volume-success-rate-and-latency.md): Aggregated webhook-attempt stats over the requested window. Returns total deliveries, success vs failure counts, p95 end-to-end latency (event creation to attempted delivery), and the top failing event types (top 10 by failure count). - [Check on an async operation](https://docs.ledgersyncappv2.com/api-reference/operations/check-on-an-async-operation.md): A handful of endpoints (initiate connection, refresh) hand you back an `operation_id`. Polling here is the fallback if you can't run a webhook handler — usually you'll get the result via webhook first. The `result` field is populated when `status=succeeded`; `error` when `status=failed`. - [Edit a live application while still under review](https://docs.ledgersyncappv2.com/api-reference/portalgating/edit-a-live-application-while-still-under-review.md): Patches the integrator-supplied fields of a live application that is still `PENDING` or in `NEEDS_INFO`. Reviewer-managed fields (status, denial codes) are immutable here. Returns 400 when the row is already `APPROVED` or `DENIED`. - [Read the gating status for the signed-in user](https://docs.ledgersyncappv2.com/api-reference/portalgating/read-the-gating-status-for-the-signed-in-user.md): Returns the latest sandbox + live status for the WorkOS user whose id is supplied as the `X-Portal-Workos-User-Id` header. The HMAC signature is computed over that header value (the endpoint has no body), keeping the identity unforgeable. - [Submit a live-environment access request](https://docs.ledgersyncappv2.com/api-reference/portalgating/submit-a-live-environment-access-request.md): Same auth + rate-limit shape as `POST /portal/access-request`, with the production-readiness fields collected by the live application form. Writes both an `access_request` row (`environment=LIVE`) and a `live_profile` sidecar row in a single transaction. - [Submit a sandbox access request](https://docs.ledgersyncappv2.com/api-reference/portalgating/submit-a-sandbox-access-request.md): Records a developer's sandbox sign-up. The portal calls this immediately after the WorkOS sign-up flow completes; the request is HMAC-signed with the shared bootstrap secret (`X-Portal-Bootstrap-Signature` header), so the embedded `workos_user_id` is trusted without an additional JWT round-trip. - [List sandbox-eligible test banks](https://docs.ledgersyncappv2.com/api-reference/sandbox/list-sandbox-eligible-test-banks.md): Returns the canonical sandbox FIXTURE catalog (`ins_sandbox_001` / `ins_sandbox_002`) for synthetic flows. - [Delete the redirect-URL allowlist row for the current account + environment](https://docs.ledgersyncappv2.com/api-reference/settings/delete-the-redirect-url-allowlist-row-for-the-current-account-+-environment.md): Drops the allowlist row entirely. After this call, any `/connections/initiate` carrying a `redirect_url` is rejected with `400`. To keep the row but disable all redirects, POST an empty array instead. - [Read the redirect-URL allowlist for the current account + environment](https://docs.ledgersyncappv2.com/api-reference/settings/read-the-redirect-url-allowlist-for-the-current-account-+-environment.md): Returns the redirect URLs registered for your account in the environment of the API key used to call this endpoint (sandbox or live). Empty list means "no allowlist row configured" — any subsequent `/connections/initiate` carrying a `redirect_url` returns `400`. - [Replace the redirect-URL allowlist for the current account + environment](https://docs.ledgersyncappv2.com/api-reference/settings/replace-the-redirect-url-allowlist-for-the-current-account-+-environment.md): Overwrites the full allowlist (no add/remove primitives, no half-applied state). Up to 20 entries, each up to 2048 chars. Every URL must be `https://`, must have a host, must not include a `userinfo` (user:password@) component, and must not resolve to a private/loopback/link-local/cloud-metadata ran… - [Download the statement PDF](https://docs.ledgersyncappv2.com/api-reference/statements/download-the-statement-pdf.md): Streams the original statement PDF bytes for the given statement. This is the same URL exposed in `Statement.download_url` — call it directly with your API key. - [Extract transactions from an uploaded bank-statement PDF](https://docs.ledgersyncappv2.com/api-reference/statements/extract-transactions-from-an-uploaded-bank-statement-pdf.md): Upload a bank-statement PDF and get back the OCR-extracted transactions — the same engine behind the LedgerSync app's Bank Statement Converter. - [Get a statement](https://docs.ledgersyncappv2.com/api-reference/statements/get-a-statement.md): Returns the statement metadata plus, when available, a time-limited signed URL to download the original PDF. For FDE connections this is the document the user uploaded; for bank-sourced statements it's the bank's published file. - [List an account's statements](https://docs.ledgersyncappv2.com/api-reference/statements/list-an-accounts-statements.md): Period statements (usually monthly) the bank publishes. For FDE connections, statements come from the document the user uploaded; for Finicity/MX they come from the bank's statement feed when available. - [Get a single transaction](https://docs.ledgersyncappv2.com/api-reference/transactions/get-a-single-transaction.md): Look up one transaction by id. Useful when a webhook just fired for a specific `transaction_id` and you want the full record. - [List transactions for an account](https://docs.ledgersyncappv2.com/api-reference/transactions/list-transactions-for-an-account.md): Page through an account's transactions, optionally filtered by date range. Pending and posted are both included — check the `status` field. New transactions land here after each refresh (auto-daily or your manual `POST /refresh` call); a future push-delivery event for transactions will be offered fo… - [Create a webhook subscription](https://docs.ledgersyncappv2.com/api-reference/webhooks/create-a-webhook-subscription.md): Register a URL to receive event notifications. Pick which event types to subscribe to via `event_types`, or use `"*"` to subscribe to every event. We deliver via HTTPS POST and sign every body with HMAC-SHA256 — see the **Webhooks** tab for the full signature scheme. - [Delete a webhook subscription](https://docs.ledgersyncappv2.com/api-reference/webhooks/delete-a-webhook-subscription.md): Stop delivering events to this URL. We immediately drop any retries already queued for it. Past delivery attempts stay in the audit log. - [Get a webhook subscription](https://docs.ledgersyncappv2.com/api-reference/webhooks/get-a-webhook-subscription.md): Fetch one subscription by id. The signing secret is omitted — use rotate-secret if you've lost it. - [List webhook subscriptions](https://docs.ledgersyncappv2.com/api-reference/webhooks/list-webhook-subscriptions.md): Every URL we're currently delivering events to, plus the event types each one is subscribed to. The signing secret isn't returned here — that only comes back at creation / rotation. - [Rotate the signing secret](https://docs.ledgersyncappv2.com/api-reference/webhooks/rotate-the-signing-secret.md): Generate a fresh signing secret. The old one stays valid for a 24-hour grace period so you can deploy your new verifier without dropping a delivery. After that, only the new secret will pass signature checks. - [Send a test event](https://docs.ledgersyncappv2.com/api-reference/webhooks/send-a-test-event.md): Fire a synthetic `webhook.test` event to this subscription's URL, signed the exact same way real events are. Great for verifying your handler and signature scheme before going live. - [Update a webhook subscription](https://docs.ledgersyncappv2.com/api-reference/webhooks/update-a-webhook-subscription.md): Change the delivery URL, the subscribed event types, or pause/resume delivery (`status` active ↔ paused). All fields are optional; omitted fields are left unchanged. Use DELETE to permanently disable. - [Authentication](https://docs.ledgersyncappv2.com/authentication.md): Bearer keys, sandbox vs live, and how to keep them safe. - [Connect a bank](https://docs.ledgersyncappv2.com/guides/connect-a-bank.md): Send a member a link, let them pick and connect their own bank, and receive their data. No institution picker to build. - [Connection lifecycle](https://docs.ledgersyncappv2.com/guides/connection-lifecycle.md): How a Connection moves from initiated to active, what each status means, and exactly what to do at every step. - [Errors](https://docs.ledgersyncappv2.com/guides/errors.md): The error envelope, the full error-code catalog, and exactly what to do for each one. - [Going live](https://docs.ledgersyncappv2.com/guides/going-live.md): The checklist to run before you flip the same flow at api.ledgersyncappv2.com with a live key. - [Quickstart](https://docs.ledgersyncappv2.com/guides/quickstart.md): Link a bank and pull transactions in about 15 minutes — from your first sandbox key to a live connection. - [Testing in sandbox](https://docs.ledgersyncappv2.com/guides/testing.md): The full sandbox test-bank reference: FinBank, MX, and FDE — real credentials, MFA recipes, account shapes, and the webhooks each fires. - [Webhooks](https://docs.ledgersyncappv2.com/guides/webhooks.md): Get notified the moment a bank connection goes live, fails, or changes — instead of polling for it. - [Welcome to LedgerSync](https://docs.ledgersyncappv2.com/introduction.md): One uniform REST API for bank accounts, balances, transactions, and statements — across three data sources, with no plumbing to build yourself. ## OpenAPI Specs - [openapi](https://docs.ledgersyncappv2.com/openapi.yaml)