> ## Documentation Index
> Fetch the complete documentation index at: https://api.leadey.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How Leadey API keys work and how to send them with every request.

The Leadey API authenticates with **API keys**. Each key belongs to one organization, and every request you make with it acts as that organization — there's no separate user context.

## API keys

Keys are created in the Cockpit under **Settings → API Keys**. A key looks like this:

```
leadey_sk_live_Xy3f…a1b2
```

* The full key is shown **once**, at creation. Leadey stores only a hash, so a lost key can't be recovered — create a new one instead.
* The dashboard lists each key by a masked label (`leadey_sk_live_••••a1b2`), its creation date, and when it was last used.
* A key stays valid until you **revoke** it. Revocation takes effect immediately.

## Sending your key

Send the key as a Bearer token in the `Authorization` header on every request.

<CodeGroup>
  ```bash curl theme={"dark"}
  curl https://backend.leadey.ai/v1/me \
    -H "Authorization: Bearer $LEADEY_API_KEY"
  ```

  ```python python theme={"dark"}
  import os, requests

  resp = requests.get(
      "https://backend.leadey.ai/v1/me",
      headers={"Authorization": f"Bearer {os.environ['LEADEY_API_KEY']}"},
  )
  resp.raise_for_status()
  print(resp.json()["data"])
  ```

  ```javascript javascript theme={"dark"}
  const resp = await fetch("https://backend.leadey.ai/v1/me", {
    headers: { Authorization: `Bearer ${process.env.LEADEY_API_KEY}` },
  });
  const { data } = await resp.json();
  console.log(data);
  ```
</CodeGroup>

A request with a missing, malformed, or revoked key returns `401`:

```json theme={"dark"}
{ "error": { "message": "Invalid or revoked API key.", "details": null } }
```

## Keeping keys safe

<Warning>
  An API key carries the access of your whole workspace. Treat it like a password.
</Warning>

* Store keys in environment variables or a secrets manager — never in source control or client-side code.
* Use a separate key per integration so you can revoke one without disrupting the others.
* Rotate keys periodically: create the new one, deploy it, then revoke the old one.
* Revoke immediately if a key may have leaked.

## Base URL

All endpoints are served under the versioned base URL:

```
https://backend.leadey.ai/v1
```
