Skip to main content
Revision Date: July 5, 2026 The Leadping API accepts three credential forms in the Authorization header with the Bearer scheme:
CredentialHeaderUse it for
Leadping user access tokenAuthorization: Bearer <leadping_user_access_token>First-party user-scoped API operations
Business API keyAuthorization: Bearer lp_...Agent, service, and integration access to a business
Source keyAuthorization: Bearer lp_src_...Lead ingestion only from an approved source
For SDK, agent, and service integrations, use a Leadping business API key. A lp_src_ source key is not an SDK-default, agent, service, account, or business API credential; it is only for approved source lead ingestion.

Discovery

Machine-readable authentication discovery is available at: When the API returns 401 Unauthorized, it can include a resource metadata pointer:
WWW-Authenticate: Bearer resource_metadata="https://api.leadping.ai/.well-known/oauth-protected-resource"
Agent clients should follow that metadata and https://leadping.ai/auth.md before attempting authenticated calls.

User-Scoped Access

Signed-in user API calls use Leadping user access tokens issued for production. Use user-scoped tokens only when your application is operating as a signed-in Leadping user. The SDKs do not manage login, token refresh, token storage, or logout for you; attach the token in your request adapter. For token validation, use the machine-readable metadata above for the production client id, issuer, and JWKS URL.

Agent And Service Access

Leadping currently supports user-claimed service authentication for agents and service integrations:
  1. Send the user to https://leadping.ai/api-keys.
  2. The user signs in through Leadping.
  3. The user selects the business the integration should access.
  4. The user creates a business API key and chooses an expiration.
  5. Store the returned key securely. Leadping only shows the full key once.
Send the key on business-scoped API requests that support business API key access:
Authorization: Bearer lp_example
Leadping does not currently support anonymous agent self-registration, ID-JAG identity assertion registration, or Cross App Access token exchange for third-party agents. If Leadping enables direct OAuth, MCP OAuth, or agent registration flows later, the auth.md file and well-known metadata will be updated before clients should depend on that flow.

Source Intake

External lead submissions use a source key instead of a user token or business API key:
POST https://api.leadping.ai/leads/intake
Authorization: Bearer lp_src_example
Content-Type: application/json
Use source keys only for approved source lead ingestion routes:
  • POST /leads
  • POST /leads/intake
  • GET /leads/intake
Leadping rejects lp_src_ source keys for account, business, user, analytics, setup, and other non-ingestion API operations. For setup and validation details, see Sending Leads to Leadping.

Credential Handling

Treat user tokens, business API keys, and source keys as secrets. Store them outside source code, transmit them only over HTTPS, rotate them after exposure, and revoke credentials that are no longer needed. The generated SDKs do not own token storage, API key storage, refresh flows, or secret rotation. Keep credentials in your application infrastructure and inject the correct Authorization header into the Kiota request adapter.