Skip to main content

API Key

  • Header: x-api-key
  • Format: lmn_prd_<28 url-safe base64 chars> (production) or lmn_stg_<28 url-safe base64 chars> (sandbox).
  • Transport: keys are shared via one-time secret link at onboarding. Never commit to source; never transmit in URLs.
  • Rotation: coordinated out-of-band; both old and new keys are accepted during a brief overlap window for zero-downtime cutover.
  • Errors:
    • 401 missing_api_keyx-api-key header absent.
    • 401 invalid_api_key — key not recognized, revoked, or wrong environment (e.g., lmn_stg_* against api.lmnauto.com).

IP Allowlist

Requests are accepted only from pre-registered partner egress IPs.
  • Up to 16 IPv4 addresses or CIDR ranges per environment.
  • Sandbox and production have independent allowlists.
  • Requests from unlisted IPs return 403 ip_not_allowed.
To add or change IPs, email integrations@lmnauto.com with at least 72 hours notice. Emergency same-day changes via security@lmnauto.com.

TLS Requirements

  • Minimum TLS 1.2 (TLS 1.3 preferred).
  • Forward-secret cipher suites required (ECDHE-*).
  • Public CA chain — no certificate pinning required.

Idempotency-Key (required on POST)

Every POST must include an Idempotency-Key header with a UUID v4 value. 
Idempotency-Key: 8e8b2a70-7a4f-4f7c-9e3a-8ed4f8c3a9d1
  • LMN enforces a permanent unique constraint on (api_key, idempotency_key). Replays return the cached response (same status, same body). Safe to retry on timeouts.
  • Missing on POST returns 400 missing_idempotency_key.
  • Reusing an Idempotency-Key with a different vehicle_id returns 422 idempotency_key_reused — generate a fresh key per logical request, never reuse across different orders.

Safe vs unsafe key reuse

ScenarioResultExample
Same key + same body (network retry)✅ Safe — returns the original response, no duplicate createdSame vehicle_id, same max_bid_amount_usd
Same key + different body422 idempotency_key_reused with details.original_vehicle_idDifferent vehicle_id than the original POST
Different key + same body⚠️ Treated as a new request — 409 duplicate_order if active order already exists for that vehicleGenerated a fresh key for what should have been a retry
Rule of thumb: generate the Idempotency-Key once at the moment of order intent, then reuse it across all retries of the same logical request. Never reuse across different logical requests.

Rate Limits

Per-API-key sliding-window buckets:
BucketEndpointsLimit
Read-heavyGET /v1/vehicles, GET /v1/vehicles/facets600 req/min
Read-lightGET /v1/orders/{id}, GET /v1/orders300 req/min
WriteAll POST, DELETE60 req/min
When exceeded, response is 429 rate_limited with Retry-After header (seconds until window resets). Apply client-side exponential backoff.

Webhook signing

All webhooks LMN sends to your endpoint are signed with HMAC-SHA256 (Stripe-compatible scheme). See Webhooks → Signing for verification details.