> ## Documentation Index
> Fetch the complete documentation index at: https://leadping.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# API Authentication

> Use Leadping user tokens and business API keys for API access, and source keys only for lead ingestion.

*Revision Date: July 5, 2026*

The Leadping API accepts three credential forms in the `Authorization` header with the Bearer scheme:

| Credential                 | Header                                               | Use it for                                           |
| -------------------------- | ---------------------------------------------------- | ---------------------------------------------------- |
| Leadping user access token | `Authorization: Bearer <leadping_user_access_token>` | First-party user-scoped API operations               |
| Business API key           | `Authorization: Bearer lp_...`                       | Agent, service, and integration access to a business |
| Source key                 | `Authorization: Bearer lp_src_...`                   | Lead ingestion only from an approved source          |

For SDK, agent, and service integrations, use a Leadping business API key. A `lp_src_` source key is not an SDK-default, agent, service, account, or business API credential; it is only for approved source lead ingestion.

## Discovery

Machine-readable authentication discovery is available at:

* Agent authentication guide: [https://leadping.ai/auth.md](https://leadping.ai/auth.md)
* Protected resource metadata: [https://leadping.ai/.well-known/oauth-protected-resource](https://leadping.ai/.well-known/oauth-protected-resource)
* API protected resource metadata: [https://api.leadping.ai/.well-known/oauth-protected-resource](https://api.leadping.ai/.well-known/oauth-protected-resource)
* Authorization server metadata: [https://leadping.ai/.well-known/oauth-authorization-server](https://leadping.ai/.well-known/oauth-authorization-server)
* OpenID Connect metadata: [https://leadping.ai/.well-known/openid-configuration](https://leadping.ai/.well-known/openid-configuration)
* OpenAPI reference: [https://api.leadping.ai/openapi/v1.json](https://api.leadping.ai/openapi/v1.json)

When the API returns `401 Unauthorized`, it can include a resource metadata pointer:

```http theme={null}
WWW-Authenticate: Bearer resource_metadata="https://api.leadping.ai/.well-known/oauth-protected-resource"
```

Agent clients should follow that metadata and `https://leadping.ai/auth.md` before attempting authenticated calls.

## User-Scoped Access

Signed-in user API calls use Leadping user access tokens issued for production.

Use user-scoped tokens only when your application is operating as a signed-in Leadping user. The SDKs do not manage login, token refresh, token storage, or logout for you; attach the token in your request adapter.

For token validation, use the machine-readable metadata above for the production client id, issuer, and JWKS URL.

## Agent And Service Access

Leadping currently supports user-claimed service authentication for agents and service integrations:

1. Send the user to [https://leadping.ai/api-keys](https://leadping.ai/api-keys).
2. The user signs in through Leadping.
3. The user selects the business the integration should access.
4. The user creates a business API key and chooses an expiration.
5. Store the returned key securely. Leadping only shows the full key once.

Send the key on business-scoped API requests that support business API key access:

```http theme={null}
Authorization: Bearer lp_example
```

Leadping does not currently support anonymous agent self-registration, ID-JAG identity assertion registration, or Cross App Access token exchange for third-party agents. If Leadping enables direct OAuth, MCP OAuth, or agent registration flows later, the `auth.md` file and well-known metadata will be updated before clients should depend on that flow.

## Source Intake

External lead submissions use a source key instead of a user token or business API key:

```http theme={null}
POST https://api.leadping.ai/leads/intake
Authorization: Bearer lp_src_example
Content-Type: application/json
```

Use source keys only for approved source lead ingestion routes:

* `POST /leads`
* `POST /leads/intake`
* `GET /leads/intake`

Leadping rejects `lp_src_` source keys for account, business, user, analytics, setup, and other non-ingestion API operations. For setup and validation details, see [Sending Leads to Leadping](/sending-leads-to-leadping).

## Credential Handling

Treat user tokens, business API keys, and source keys as secrets. Store them outside source code, transmit them only over HTTPS, rotate them after exposure, and revoke credentials that are no longer needed.

The generated SDKs do not own token storage, API key storage, refresh flows, or secret rotation. Keep credentials in your application infrastructure and inject the correct `Authorization` header into the Kiota request adapter.
