Authorization header with the Bearer scheme:
| Credential | Header | Use it for |
|---|---|---|
| Leadping user access token | Authorization: Bearer <leadping_user_access_token> | First-party user-scoped API operations |
| Business API key | Authorization: Bearer lp_... | Agent, service, and integration access to a business |
| Source key | Authorization: Bearer lp_src_... | Lead ingestion only from an approved source |
lp_src_ source key is not an SDK-default, agent, service, account, or business API credential; it is only for approved source lead ingestion.
Discovery
Machine-readable authentication discovery is available at:- Agent authentication guide: https://leadping.ai/auth.md
- Protected resource metadata: https://leadping.ai/.well-known/oauth-protected-resource
- API protected resource metadata: https://api.leadping.ai/.well-known/oauth-protected-resource
- Authorization server metadata: https://leadping.ai/.well-known/oauth-authorization-server
- OpenID Connect metadata: https://leadping.ai/.well-known/openid-configuration
- OpenAPI reference: https://api.leadping.ai/openapi/v1.json
401 Unauthorized, it can include a resource metadata pointer:
https://leadping.ai/auth.md before attempting authenticated calls.
User-Scoped Access
Signed-in user API calls use Leadping user access tokens issued for production. Use user-scoped tokens only when your application is operating as a signed-in Leadping user. The SDKs do not manage login, token refresh, token storage, or logout for you; attach the token in your request adapter. For token validation, use the machine-readable metadata above for the production client id, issuer, and JWKS URL.Agent And Service Access
Leadping currently supports user-claimed service authentication for agents and service integrations:- Send the user to https://leadping.ai/api-keys.
- The user signs in through Leadping.
- The user selects the business the integration should access.
- The user creates a business API key and chooses an expiration.
- Store the returned key securely. Leadping only shows the full key once.
auth.md file and well-known metadata will be updated before clients should depend on that flow.
Source Intake
External lead submissions use a source key instead of a user token or business API key:POST /leadsPOST /leads/intakeGET /leads/intake
lp_src_ source keys for account, business, user, analytics, setup, and other non-ingestion API operations. For setup and validation details, see Sending Leads to Leadping.
Credential Handling
Treat user tokens, business API keys, and source keys as secrets. Store them outside source code, transmit them only over HTTPS, rotate them after exposure, and revoke credentials that are no longer needed. The generated SDKs do not own token storage, API key storage, refresh flows, or secret rotation. Keep credentials in your application infrastructure and inject the correctAuthorization header into the Kiota request adapter.
