Back to Site

API Keys

Learn how to generate and manage API keys in LeafPad. Keys are scoped to a user and organization, support custom expiry, and authenticate via the x-api-key header.

April 6, 2026 4 min read
A
Abhishek Singh
Published in Leafpad Docs

API keys let you authenticate programmatically with LeafPad no browser session required. Use them to call LeafPad APIs from your server, scripts, or CI pipelines.

Generating an API Key

  1. Open your LeafPad dashboard and navigate to Settings → API Keys.

  2. Click Generate API Key.

  3. Optionally set an expiry period keys can be time-limited (e.g. 30 days) or have no expiry at all.

  4. Copy the key immediately. For security reasons, LeafPad only shows the full key once at creation time.

Key Scoping

Every API key is bound to two things:

  • User: the key belongs to the account that created it and inherits its permissions.

  • Organization: the key is tied to the organization that was active at the time of creation. All API calls made with that key operate within that organization's data.

If you need keys for multiple organizations, generate a separate key while each organization is active.

Expiry

When generating a key you can choose a custom expiry duration. Once a key expires it is automatically rejected — no manual revocation needed. For long-lived integrations consider rotating keys periodically even if they have no expiry set.

Using an API Key

Pass the key in the x-api-key request header:

x-api-key: YOUR_API_KEY

Example: cURL

curl -X POST https://leafpad.io/api/public/v1/knowledge-base \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"text": "Product documentation content here"}'

Example: Node.js

const res = await fetch('https://leafpad.io/api/public/v1/knowledge-base', {
  method: 'POST',
  headers: {
    'x-api-key': process.env.LEAFPAD_API_KEY,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ text: 'Product documentation content here' }),
});

const data = await res.json();

Revoking a Key

Go to Settings → API Keys and click Revoke next to the key you want to remove. Revoked keys are rejected immediately.

Rate Limits

Each API key is rate-limited to 2,000 requests per day. Requests beyond this limit receive a 429 Too Many Requests response.

Security Best Practices

  • Store keys in environment variables — never commit them to source control.

  • Set an expiry period for short-lived integrations.

  • Rotate keys regularly for long-lived integrations.

  • Revoke any key you suspect has been compromised.

Published with LeafPad

Tags

docssecurity