SDK
API keys
API keys are org-level — one set of keys works for every app in your org. Sent via the X-API-Key header. Owners create them; builders and viewers use them.
Create one
1
Open the org page and find the API keys card.
2
Click Create an API key, give it a name (just for your bookkeeping), and copy the value. It's shown once.
3
Set
LEASH_API_KEY in the env where the SDK runs (your Leash app's env vars, your .env file, your CI secrets, etc.).Using API Keys in the SDK
Pass the API key when initializing the client. When using an API key, you still need an auth token to identify which user's integrations to access. The API key authorizes your app; the auth token identifies the user.
TypeScript
const integrations = new LeashIntegrations({apiKey: process.env.LEASH_API_KEY,authToken: userJwtToken, // identifies the user})
API Key vs Auth Token
API keyAuthorizes your org to access the Leash platform. Created from the dashboard, used by every app in the org.
Auth tokenIdentifies the user whose integrations you want to access. A JWT issued when the user signs in.
Security Best Practices
- Never expose API keys in client-side code or commit them to git
- Store keys at the org level via a secret source, then ref them from your app — values flow into both
leash devand the deployed app - Rotate keys at the source — every
leash deploypicks up the new value automatically - Use the per-environment label on each ref to keep dev and prod values distinct