SDK

API keys

API keys are org-level — one set of keys works for every app in your org. The SDK sends them via the X-API-Key header. Owners create them; builders and viewers use them.

Create one

Open the org page and find the API keys card.

Click Create an API key, give it a name (just for your bookkeeping), and copy the value. It's shown once.

Set LEASH_API_KEY in the env where the SDK runs (your Leash app's env vars, your .env.local file, your CI secrets, etc.).

Use it

The SDK auto-reads LEASH_API_KEY from process.env when you construct new Leash({ request }). No manual wiring.

app/api/inbox/route.ts

import { Leash } from '@leash/sdk/leash'

export async function GET(req: Request) {
  // Reads LEASH_API_KEY automatically and forwards leash-auth from the request.
  const leash = new Leash({ request: req })
  const messages = await leash.integrations.gmail.listMessages({ maxResults: 5 })
  return Response.json({ messages })
}

If LEASH_API_KEY isn't set, the constructor throws a LeashError with code NO_API_KEY — see Error handling.

To override the key explicitly (e.g. for tests):

const leash = new Leash({ request: req, apiKey: 'lsk_live_…' })

API key vs. session cookie

API keyAuthorizes your org to call the platform. Created from the dashboard, used by every app in the org.

leash-auth cookieIdentifies the user whose integrations to access. Forwarded automatically when you pass request to Leash.

Security

Never expose API keys in client-side code or commit them to git.
Store keys at the org level via a secret source, then ref them from your app — values flow into both leash dev and the deployed app.
Rotate keys at the source — every leash deploy picks up the new value automatically.
Use the per-environment label on each ref to keep dev and prod values distinct.