The Leadey API authenticates with API keys. Each key belongs to one organization, and every request you make with it acts as that organization — there’s no separate user context.
API keys
Keys are created in the Cockpit under Settings → API Keys. A key looks like this:
- The full key is shown once, at creation. Leadey stores only a hash, so a lost key can’t be recovered — create a new one instead.
- The dashboard lists each key by a masked label (
leadey_sk_live_••••a1b2), its creation date, and when it was last used.
- A key stays valid until you revoke it. Revocation takes effect immediately.
Sending your key
Send the key as a Bearer token in the Authorization header on every request.
curl https://backend.leadey.ai/v1/me \
-H "Authorization: Bearer $LEADEY_API_KEY"
A request with a missing, malformed, or revoked key returns 401:
{ "error": { "message": "Invalid or revoked API key.", "details": null } }
Keeping keys safe
An API key carries the access of your whole workspace. Treat it like a password.
- Store keys in environment variables or a secrets manager — never in source control or client-side code.
- Use a separate key per integration so you can revoke one without disrupting the others.
- Rotate keys periodically: create the new one, deploy it, then revoke the old one.
- Revoke immediately if a key may have leaked.
Base URL
All endpoints are served under the versioned base URL:
https://backend.leadey.ai/v1