Appearance
10. API Keys
Navigation path: Sidebar → Business Settings → API Keys
API keys allow external applications — such as your Rentmy.co storefront, mobile app, or custom integration — to communicate securely with Leaper Dev. They are required to submit click events, page views, and conversions programmatically, and to initialize the Leaper Dev tracking SDK.
10.1 API Keys List View
Each key record displays:
| Column | Description |
|---|---|
| Name | A human-readable label for the key |
| API Key | The key value (masked for security; click Copy API key to copy to clipboard) |
| Scopes | The permissions granted to this key |
| Status | Active or Revoked |
| Last Used | Timestamp of the most recent API call made with this key |
| Created | Date the key was generated |
10.2 Available Scopes
When creating a key, select only the scopes your integration actually needs (principle of least privilege):
| Scope | Permission Granted |
|---|---|
affiliates:read | Read affiliate records |
affiliates:write | Create or update affiliate records |
conversions:read | Read conversion data |
conversions:write | Submit conversion events |
clicks:read | Read click tracking data |
clicks:write | Submit click events |
commissions:read | Read commission data |
reports:read | Access analytics report data |
sdk:init | Initialize the Leaper Dev JavaScript SDK on your storefront |
pageviews:write | Submit page view events |
10.3 Creating an API Key
- Click Create Key.
- Enter a descriptive Name (e.g.,
Rentmy Production,Staging Environment). - Click each scope toggle to select the permissions needed. Selected scopes appear highlighted.
- Click Create Key.
- Copy the key immediately — the full key value is shown only once. Store it securely in your application's environment variables or a secrets manager. Never paste it into publicly accessible code or documents.
10.4 Revoking or Deleting a Key
- Revoke — Immediately disables the key so it can no longer authenticate API requests. The key record remains visible in the list with a Revoked status. Use this when a key may be compromised.
- Delete — Permanently removes the key record from the list.
Example scenario: A developer discovers that an API key was accidentally pushed to a public GitHub repository. The administrator immediately opens API Keys, clicks Revoke on the compromised key, generates a new key with the same scopes, updates the Rentmy.co integration with the new key value, and notifies the development team.
Security best practice: Never expose API keys in client-side JavaScript, browser-accessible files, or version control systems. Rotate keys periodically and revoke any key that is no longer in use.