Available filters for contact searches
Lusha API Documentation
Lusha provides a RESTful API that allows you to query a comprehensive dataset of business profiles and company information. It is designed for teams building prospecting, enrichment, automation, and analytics workflows that require accurate, continuously updated business data. The API supports both real-time and bulk use cases and is suitable for production environments. Use the Lusha API to search for new prospects, enrich existing records, react to real-world changes, and expand coverage using lookalike recommendations.
All API requests should be made over HTTPS (SSL), and the response bodies are delivered in JSON format.
Person
https://api.lusha.com/v2/person
▶ Common Use Cases
- • Form enrichment
- • CRM completion
- • Outbound personalization
Company
https://api.lusha.com/v2/company
▶ Common Use Cases
- • Account enrichment
- • Routing, scoring, territory logic
- • Market analysis & segmentation
Signals
https://api.lusha.com/v2/signals
▶ Common Use Cases
- • Job change tracking
- • Company updates signals
- • News event alerts
Lookalikes
https://api.lusha.com/v2/recommendations
▶ Common Use Cases
- • Market expansion
- • Similar account discovery
- • Prospect recommendations
Filters
Account
Webhooks APINEW
Subscribe to real-time notifications when contacts change jobs or companies experience key business events.
View Documentation →Data Source and Privacy
Please note that Lusha is a search platform, meaning the data provided is not created or directly managed by us. Instead, it is retrieved from publicly available sources and through contributions from trusted business partners.
For more information on how we collect, use, and handle business profiles, please refer to our Privacy Policy.
API keys are required for all API and MCP requests and are tied to your Lusha account and plan. To access the Lusha API, you must authenticate your requests using your API key. This key is unique to your account and is used to identify your usage of the API. How to Authenticate:
When making an API call, include your API key in the api_key header of the request.
You can generate and retrieve your API key here. API keys should be stored securely and used only in server-side environments.
Lusha API enforces rate limiting to ensure fair usage and protect against excessive load.
- General Rate Limit: You can make up to 25 requests per second to each API endpoint
- Credit Usage API: Has a specific rate limit of 5 requests per minute
Note: Rate limits may vary based on your account type and subscription plan. If you're encountering rate limit issues frequently, please consult with your account manager or Lusha support team to discuss your specific needs.
Rate Limit Headers
To monitor your current rate limit status, check the HTTP response headers in your API calls:
| Header | Description |
|---|---|
x-rate-limit-daily | The total number of requests allowed per day under your current plan |
x-daily-requests-left | The number of requests remaining in your daily quota |
x-daily-usage | The number of requests you have made in the current daily period |
x-rate-limit-hourly | The total number of requests allowed per hour under your current plan |
x-hourly-requests-left | The number of requests remaining in your hourly quota |
x-hourly-usage | The number of requests you have made in the current hourly period |
x-rate-limit-minute | The total number of requests allowed per minute under your current plan |
x-minute-requests-left | The number of requests remaining in your current minute window |
x-minute-usage | The number of requests you have made in the current minute window |
Notes on API Rate Limiting
- If you exceed the rate limit, the API will return a 429 (Too Many Requests) error.
- To ensure a smooth experience, respect the rate limits defined by your subscription tier.
- Daily limits vary based on your billing plan — higher tiers have higher quotas.
- You can programmatically track your usage through these response headers:
X-RateLimit-Remaining-DailyX-RateLimit-Reset-Daily
- It is strongly recommended to implement logic that:
- Monitors these headers
- Pauses or retries requests accordingly
- Helps avoid hitting the limit and ensures reliable operation
Lusha API uses standard HTTP response codes to indicate the status of your request. These codes help you understand whether the request was successful or if there was an issue.
| Status Code | Name | Description |
|---|---|---|
| 200 | OK | Successful request |
| 400 | Bad Request | Badly formatted request |
| 401 | Unauthorized | The API key is invalid |
| 402 | Payment Required | Your account requires payment |
| 403 | Forbidden | Your account is not active. Please reach out to support at support@lusha.com for assistance |
| 403 | Forbidden | Your pricing version does not support requesting individual datapoints [revealEmails, revealPhones] |
| 404 | Not Found | The requested endpoint was not found |
| 412 | Precondition Failed | The request failed due to invalid syntax that was provided. Please make sure to send a full name field that contains a valid first & last name |
| 429 | Too Many Requests | You've reached your trial limit, please contact support for upgrade |
| 429 | Too Many Requests | Daily API quota limit exceeded. Limit X calls per day |
| 429 | Too Many Requests | Hourly API rate limit exceeded. Limit: X calls per hour. Reset in X seconds |
| 451 | Unavailable For Legal Reasons | We are unable to process this contact request due to our GDPR regulations |
| 499 | Client Closed Request | Request failed due to request timeout |
| 5XX | Server Error | There's a problem on Lusha's end |
Error Response Format
In case of an error, the response body will contain details about the error:
{
"error": {
"code": 400,
"message": "Invalid request parameters"
}
}Handling errors
Always ensure your API key is correct and valid
Pay attention to the specific error message and code to troubleshoot issues efficiently
Implement proper error handling and retry logic in your application
For 5XX errors, implement exponential backoff before retrying
Download OpenAPI description
Overview
Languages
Servers
Mock server
https://docs.lusha.com/_mock/apis/openapi
Production server
https://api.lusha.com
Enrichment
What is enrichment?:
Enrichment is the process of adding missing or updated data to existing contact or company records.
Use enrichment to:
- Complete CRM records
- Improve outbound accuracy and deliverability
- Keep records current as people and companies change
Enrichment can be performed in real time or in bulk, depending on the endpoint and use case.
Available enrichment APIs
Person enrichment:
- Search single contact - Enrich one contact at a time
- Search multiple contacts - Bulk enrich contacts
Company enrichment:
- Search a single company - Enrich one company at a time
- Search multiple companies - Bulk enrich companies
Operations
Prospecting - Search & Enrich
With Lusha's Prospecting API, you can query Lusha's extensive database based on specific criteria (such as job title, seniority, location, and more) to retrieve detailed contact and company information.
The Prospecting API is designed to help you generate new records (contacts or companies) for your CRM system, using filters that align with your Ideal Customer Profile (ICP).
This process involves three main steps:
Operations
Signals
With Lusha’s Signals API, you can enrich your contacts and companies with timely insights that highlight key account and prospect changes. Signals help you identify moments of opportunity - from job moves and promotions to company growth and new initiatives - so you can engage prospects and customers at exactly the right time. Easily integrate signal data into enrichment flows, CRM systems, or automation workflows to keep pipelines and customer records always up to date.
Operations
Lookalikes
Lusha's Lookalikes API helps you discover similar contacts and companies based on your existing data. Get AI-powered suggestions for new prospects that match your ideal customer profile.
Contact Lookalikes - Find similar contacts based on role, seniority, and industry patterns.
Company Lookalikes- Discover companies with similar firmographics and characteristics.
Operations
Webhooks
Subscribe to real-time notifications when contacts change jobs or companies experience key business events.
Webhooks deliver HTTP POST requests to your endpoints when signals occur - from promotions and job changes to company growth.
For a full list of available signals, refer to Signal Options.
Key Features:
- Real-time contact & company signal notifications
- Bulk subscription management (up to 25 items per request)
- Secure delivery with HMAC-SHA256 signatures
- Automatic URL verification during setup
- Delivery monitoring with audit logs
Available Endpoints:
| Method | Endpoint | Purpose |
|---|---|---|
| POST | /api/subscriptions | Create subscriptions (bulk supported) |
| GET | /api/subscriptions | List all subscriptions |
| GET | /api/subscriptions/{id} | Get subscription by ID |
| PATCH | /api/subscriptions/{id} | Update subscription |
| POST | /api/subscriptions/delete | Delete subscriptions (bulk supported) |
| POST | /api/subscriptions/{id}/test | Test subscription delivery |
| GET | /api/audit-logs | Get webhook delivery logs |
| GET | /api/audit-logs/stats | Get delivery statistics |
| GET | /api/account/secret | Get account webhook secret |
| POST | /api/account/secret/regenerate | Regenerate account secret |
Webhook Verification: When creating subscriptions, Lusha sends a GET request with a
challengeparameter. Your endpoint must return{"challenge": "value"}with HTTP 200.
Rate Limits
| Operation | Limit |
|---|---|
| API Requests | 100 requests/minute per account |
| Create Subscriptions | 25 items per request |
| Delete Subscriptions | 25 items per request |
Security & Verification
HTTPS Requirement:
- Production webhook URLs must use HTTPS
- HTTP URLs are not accepted
Webhook Verification:
When creating or updating a subscription, Lusha verifies your webhook URL by sending a GET request with a challenge query parameter.
Verification Request:
GET https://your-webhook-url.com?challenge=abc123xyzExpected Response (200 OK):
{
"challenge": "abc123xyz"
}Requirements:
- Return HTTP 200 status
- Return Content-Type: application/json
- Echo back the exact challenge value
Signature Verification:
All webhook deliveries include an X-Lusha-Signature header containing an HMAC-SHA256 signature. Verify this signature to ensure the request is from Lusha:
- Extract the
X-Lusha-SignatureandX-Lusha-Timestampheaders - Concatenate:
timestamp + "." + JSON.stringify(payload) - Compute HMAC-SHA256 using your webhook secret
- Compare the computed signature with the received signature
Example (Node.js):
const crypto = require('crypto');
function verifySignature(payload, signature, timestamp, secret) {
const signedPayload = `${timestamp}.${JSON.stringify(payload)}`;
const expectedSignature = crypto
.createHmac('sha256', secret)
.update(signedPayload)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expectedSignature)
);
}Security Best Practice: Always verify webhook signatures to prevent spoofed requests.
Credits & Billing
Credit Charges:
- Credits are charged when signals are detected and delivered to your webhook
- The
creditsChargedfield in the webhook payload indicates how many credits were used - Credits are deducted from your account balance per signal type
No Duplicate Charges:
- Each signal is delivered once and charged once
- Webhook delivery retries do not incur additional charges
Error Response Format
All error responses follow this format:
{
"statusCode": 400,
"message": "Validation failed",
"errors": ["entityType must be one of: contact, company"]
}| Field | Type | Description |
|---|---|---|
statusCode | number | HTTP status code |
message | string | Error message |
errors | string[] | Detailed error messages (optional) |
Operations
Request
Creates one or more webhook subscriptions for real-time signal notifications.
URL Validation:
- The URL is validated once before creating any subscriptions
- Includes format checking and challenge request verification
- If URL validation fails, no subscriptions are created
Delivery & Reliability:
- Webhooks are delivered with automatic retry on failures
- Maximum 3 retry attempts with exponential backoff
- Subscriptions auto-disable after max retries exceeded
- All deliveries are logged in audit logs
Limit: Maximum 25 subscriptions per request
Endpoint: (POST) https://api.lusha.com/api/subscriptions
When a signal is triggered, this payload is sent to your webhook URL:
{
"id": "f3b87e05-0402-4f3e-8e26-6a38fd0ad62c",
"type": "promotion",
"entityType": "contact",
"entityId": "4158887495",
"subscriptionId": "507f1f77bcf86cd799439011",
"data": {
"personId": 4158887495,
"currentCompanyId": 40823133,
"currentCompanyName": "OMG Hospitality Group LLC",
"currentDomain": "omghospitalitygroup.com",
"currentTitle": "Bartender",
"currentDepartments": [
{ "id": 7, "value": "Other" }
],
"previousCompanyName": "First Watch Restaurants",
"previousDomain": "firstwatch.com",
"signalDate": "2025-07-01"
},
"timestamp": "2026-01-14T16:16:35.841Z",
"billing": {
"creditsCharged": 1
}
}Headers Included:
| Header | Description |
|---|---|
X-Lusha-Signature | HMAC-SHA256 signature for verification |
X-Lusha-Timestamp | Unix timestamp of the request |
Content-Type | application/json |
User-Agent | Lusha-Webhooks/1.0 |
⚠️ Important: Ensure your account has a webhook secret before creating subscriptions. Create one via the Regenerate Account Secret endpoint.
Security
ApiKeyAuth
Webhook URL - validated once with challenge request (HTTPS required in production)
Example: "https://example.com/webhooks/lusha"
Default entity type for all subscriptions
Enum"contact""company"
Example: "contact"
Default signal types for all subscriptions. Available signals depend on entity type:
Examples for contacts:
promotion- Job title promotionscompanyChange- Company changesallSignals- All contact signals
Examples for companies:
newsEvent- Company-related events and newsallSignals- All company signalssurgeInHiring- Overall hiring activity increase
Please refer to the Signal Options Section for a full list of available signals.
Example: ["promotion","newsEvent"]
Array of subscriptions to create (max 10 in development, 25 in production)
Entity ID (always required per item)
Example: "123"
- Mock serverhttps://docs.lusha.com/_mock/apis/openapi/api/subscriptions
- Production serverhttps://api.lusha.com/api/subscriptions
- curl
- JavaScript
- Node.js
- Python
- Java
- C#
- PHP
- Go
- Ruby
- R
- Payload
curl -i -X POST \
https://docs.lusha.com/_mock/apis/openapi/api/subscriptions \
-H 'Content-Type: application/json' \
-H 'api_key: YOUR_API_KEY_HERE' \
-d '{
"defaults": {
"entityType": "contact",
"signalTypes": [
"promotion",
"companyChange"
],
"url": "https://example.com/webhooks/lusha"
},
"subscriptions": [
{
"entityId": "123456",
"name": "My Test Webhook"
}
]
}'Subscriptions created (full or partial success)
Response
application/json
{ "total": 3, "successful": 3, "failed": 0, "results": [ { … }, { … }, { … } ] }
Request
Returns all webhook subscriptions for your account with pagination support.
Endpoint: (GET) https://api.lusha.com/api/subscriptions
Pagination:
- Results are sorted by
createdAtin descending order (newest first) - Default limit: 10, max limit: 100
- Use
offsetfor pagination through large result sets
Note: The webhook
secretis never returned in list responses for security.
Security
ApiKeyAuth
- Mock serverhttps://docs.lusha.com/_mock/apis/openapi/api/subscriptions
- Production serverhttps://api.lusha.com/api/subscriptions
- curl
- JavaScript
- Node.js
- Python
- Java
- C#
- PHP
- Go
- Ruby
- R
- Payload
curl -i -X GET \
'https://docs.lusha.com/_mock/apis/openapi/api/subscriptions?limit=10&offset=0' \
-H 'api_key: YOUR_API_KEY_HERE'Response
application/json
{ "data": [ { … } ], "pagination": { "total": 25, "limit": 10, "offset": 0, "hasMore": true } }
- Mock serverhttps://docs.lusha.com/_mock/apis/openapi/api/subscriptions/{id}
- Production serverhttps://api.lusha.com/api/subscriptions/{id}
- curl
- JavaScript
- Node.js
- Python
- Java
- C#
- PHP
- Go
- Ruby
- R
- Payload
curl -i -X GET \
https://docs.lusha.com/_mock/apis/openapi/api/subscriptions/507f1f77bcf86cd799439011 \
-H 'api_key: YOUR_API_KEY_HERE'Response
application/json
{ "id": "507f1f77bcf86cd799439011", "entityType": "contact", "entityId": "123456", "signalTypes": [ "promotion", "companyChange" ], "url": "https://example.com/webhooks/lusha", "name": "Contact Promotion Tracker", "isActive": true, "blockReason": "Max retries exceeded", "blockedAt": "2026-01-14T10:00:00.000Z", "createdAt": "2026-01-14T10:00:00.000Z", "updatedAt": "2026-01-14T10:00:00.000Z" }
Request
Updates an existing webhook subscription. All fields are optional.
Endpoint: (PATCH) https://api.lusha.com/api/subscriptions/{id}
Reactivating Disabled Subscriptions:
When setting isActive: true on a previously disabled subscription, the system automatically:
- Clears the
blockReasonfield - Clears the
blockedAttimestamp - Resets the retry counter
Regenerating Secrets:
Set regenerateSecret: true to generate a new webhook secret. The new secret:
- Affects all subscriptions for your account
- Is only shown once in the response
- Immediately invalidates the old secret
Security
ApiKeyAuth
- Mock serverhttps://docs.lusha.com/_mock/apis/openapi/api/subscriptions/{id}
- Production serverhttps://api.lusha.com/api/subscriptions/{id}
- curl
- JavaScript
- Node.js
- Python
- Java
- C#
- PHP
- Go
- Ruby
- R
- Payload
curl -i -X PATCH \
https://docs.lusha.com/_mock/apis/openapi/api/subscriptions/507f1f77bcf86cd799439011 \
-H 'Content-Type: application/json' \
-H 'api_key: YOUR_API_KEY_HERE' \
-d '{
"isActive": false
}'Response
application/json
{ "id": "507f1f77bcf86cd799439011", "entityType": "contact", "entityId": "123456", "signalTypes": [ "promotion", "companyChange" ], "url": "https://example.com/webhooks/lusha", "name": "Contact Promotion Tracker", "isActive": true, "secret": "whsec_abc123def456ghi789jkl012mno345pqr678stu901vwx234yz", "createdAt": "2026-01-14T10:00:00.000Z", "updatedAt": "2026-01-14T10:00:00.000Z" }
Request
Test a webhook subscription by sending a test signal. Supports three test modes.
Endpoint: (POST) https://api.lusha.com/api/subscriptions/{id}/test
Test Modes:
direct- Quick HTTP check only (validates URL responds correctly)kafka- Fanout handler only (tests Kafka message processing)full- Complete Kafka flow (default - end-to-end test)
What Gets Tested:
- URL accessibility and response time
- Challenge verification (for direct mode)
- Complete delivery pipeline (for full mode)
- Signature generation and headers
Important Notes:
- Test deliveries do NOT consume credits
- Test payloads use mock data
- Useful for verifying webhook configuration before going live
Security
ApiKeyAuth
- Mock serverhttps://docs.lusha.com/_mock/apis/openapi/api/subscriptions/{id}/test
- Production serverhttps://api.lusha.com/api/subscriptions/{id}/test
- curl
- JavaScript
- Node.js
- Python
- Java
- C#
- PHP
- Go
- Ruby
- R
- Payload
curl -i -X POST \
'https://docs.lusha.com/_mock/apis/openapi/api/subscriptions/507f1f77bcf86cd799439011/test?mode=full' \
-H 'api_key: YOUR_API_KEY_HERE'Response
application/json
{ "subscriptionId": "507f1f77bcf86cd799439011", "subscriptionName": "My Test Webhook", "url": "https://example.com/webhook", "mode": "full", "flowCheck": { "success": true, "statusCode": 200, "durationMs": 150 }, "testPayload": { "entityType": "contact", "signalType": "promotion", "data": {} }, "isSuccess": true, "timestamp": "2024-01-01T00:00:00.000Z" }
Request
Delete one or more webhook subscriptions. Returns detailed results for each deletion with partial success support.
Endpoint: (POST) https://api.lusha.com/api/subscriptions/delete
Behavior:
- Each subscription is processed independently
- Returns detailed results for each item including deleted subscription info
- Invalid ID formats are gracefully handled and reported as NOT_FOUND
- Duplicate IDs are automatically deduplicated
- Deletion is permanent and cannot be undone
Security
ApiKeyAuth
- Mock serverhttps://docs.lusha.com/_mock/apis/openapi/api/subscriptions/delete
- Production serverhttps://api.lusha.com/api/subscriptions/delete
- curl
- JavaScript
- Node.js
- Python
- Java
- C#
- PHP
- Go
- Ruby
- R
- Payload
curl -i -X POST \
https://docs.lusha.com/_mock/apis/openapi/api/subscriptions/delete \
-H 'Content-Type: application/json' \
-H 'api_key: YOUR_API_KEY_HERE' \
-d '{
"ids": [
"sub-123"
]
}'Response
application/json
{ "total": 3, "successful": 3, "failed": 0, "results": [ { … }, { … }, { … } ] }
Request
Retrieve webhook delivery logs for your account.
Endpoint: (GET) https://api.lusha.com/api/audit-logs
What's Logged:
- All webhook delivery attempts (success and failures)
- HTTP status codes and response times
- Error messages for failed deliveries
- Delivery timestamps and duration metrics
Filtering:
- Filter by subscription ID to see logs for specific subscriptions
- Filter by status to see only successes, failures, or permanent failures
Rate Limit: 100 requests/minute per account
Note: Logs are retained for 90 days (successful) and 180 days (failed/DLQ)
Security
ApiKeyAuth
- Mock serverhttps://docs.lusha.com/_mock/apis/openapi/api/audit-logs
- Production serverhttps://api.lusha.com/api/audit-logs
- curl
- JavaScript
- Node.js
- Python
- Java
- C#
- PHP
- Go
- Ruby
- R
- Payload
curl -i -X GET \
'https://docs.lusha.com/_mock/apis/openapi/api/audit-logs?subscriptionId=507f1f77bcf86cd799439011&status=success&limit=50&offset=0' \
-H 'api_key: YOUR_API_KEY_HERE'Response
application/json
{ "data": [ { … } ], "pagination": { "total": 100, "limit": 50, "offset": 0, "hasMore": true } }
- Mock serverhttps://docs.lusha.com/_mock/apis/openapi/api/audit-logs/stats
- Production serverhttps://api.lusha.com/api/audit-logs/stats
- curl
- JavaScript
- Node.js
- Python
- Java
- C#
- PHP
- Go
- Ruby
- R
- Payload
curl -i -X GET \
'https://docs.lusha.com/_mock/apis/openapi/api/audit-logs/stats?subscriptionId=sub-123' \
-H 'api_key: YOUR_API_KEY_HERE'Response
application/json
{ "total": 1000, "success": 950, "failed": 50, "successRate": "95.00%" }
- Mock serverhttps://docs.lusha.com/_mock/apis/openapi/api/account/secret
- Production serverhttps://api.lusha.com/api/account/secret
- curl
- JavaScript
- Node.js
- Python
- Java
- C#
- PHP
- Go
- Ruby
- R
- Payload
curl -i -X GET \
https://docs.lusha.com/_mock/apis/openapi/api/account/secret \
-H 'api_key: YOUR_API_KEY_HERE'Response
application/json
{ "secret": "whsec_abc123def456ghi789jkl012mno345pqr678stu901vwx234yz" }
Request
Regenerate the account webhook secret. Affects all subscriptions for the account.
Endpoint: (POST) https://api.lusha.com/api/account/secret/regenerate
Behavior:
- If a secret already exists: Replaces with new secret (old secret is invalidated)
- If no secret exists: Creates new secret automatically
Important Notes:
- The secret is only shown once in the response. Store it securely.
- This endpoint always succeeds (upsert operation)
- Regenerating invalidates the old secret for all subscriptions (if one existed)
- An account secret must exist before webhooks can be delivered
Security
ApiKeyAuth
- Mock serverhttps://docs.lusha.com/_mock/apis/openapi/api/account/secret/regenerate
- Production serverhttps://api.lusha.com/api/account/secret/regenerate
- curl
- JavaScript
- Node.js
- Python
- Java
- C#
- PHP
- Go
- Ruby
- R
- Payload
curl -i -X POST \
https://docs.lusha.com/_mock/apis/openapi/api/account/secret/regenerate \
-H 'api_key: YOUR_API_KEY_HERE'Response
application/json
{ "secret": "whsec_new_secret_here_abc123def456ghi789jkl012mno345" }
Account Management
Manage your account and monitor usage.
Use this endpoint to:
- Monitor credit usage
- Understand consumption patterns
- Align API usage with plan limits
- Support governance and production operations
Account-level insights are especially important for teams running Lusha at scale or across multiple systems.
Operations