API keys

API keys are your account's credential for the Leadgram API V2. Manage them from Settings: create a key, give it a name, and revoke it when you're done. Here's what a key can do, how to create one, how it's scoped, the request shape it's meant for, and how to rotate or revoke it.

What API keys are for

An API key lets an external tool or custom script call the Leadgram API on your behalf, without sharing your login credentials or session cookie. It's built for server-to-server integrations (Keitaro pulling data, a script pushing events), not for browser use.

Create a key

  1. Open Settings → API keys.
  2. Give it a name you'll recognize later, e.g. "Keitaro" or "reporting script" (that's the only field the form takes).
  3. Click Create Key. The secret is shown exactly once, right after creation, in a copy box, so copy it now. Neither the keys table nor any endpoint will show the full value again; only the name and creation date persist.
API keys panel with create key dialogAPI keys panel with create key dialog

Scopes and organization binding

A key isn't scoped to a specific project or permission set from the panel. It's tied to your user account and carries the same access your account has, wherever it's used. There's no per-teammate sub-scoping in the current UI: if several people need integration access, mint a key per person or per integration so you can tell them apart in the table and revoke exactly one without breaking the others.

Use the key in server-to-server calls

Send the key on the x-api-key request header. That's the header name the Leadgram API is built around:

curl https://leadgram.org/api/<endpoint> \
  -H "x-api-key: YOUR_API_KEY"

Programmatic API authentication by key isn't enabled on endpoints yet. Key management (create, name, revoke) works today; request auth is coming. This is the request shape you'll use once it's live, not something you can rely on now.

Swap in whichever endpoint you're integrating when request auth ships.

Rotate and revoke

There's no in-place "regenerate": a key's secret is fixed for its lifetime. To rotate one, create a new key first, swap it into your integration, confirm it works, then revoke the old key from the table so nothing keeps running on it. Revoking is immediate: click Revoke on a key's row and it stops working right away, with no grace period, so do the swap before the revoke, not after.

Common pitfalls

  • The secret is shown once, at creation. Close the dialog before copying it and it's gone for good; revoke the key and create a new one.
  • A key carries your account's full access, so don't paste it into a support chat, a public repo, or a shared script, and rotate anything that leaked.
  • Revoking has no undo and no delay: any integration still using the old key starts failing immediately.
  • Name your keys for what they're plugged into (e.g. "Keitaro prod") so you know which one to revoke when something breaks, instead of guessing from a bare creation date.