Skip to main content

Authentication

Every API request must include your API key in the Authorization header.

API Base URL

All requests must be sent to the secure Bodyguard proxy: https://api.leaf7.fun
Direct access to auth.leaf7.fun is strictly prohibited and will result in a 403 Forbidden error.

Finding your API key

  1. Log in to your Leaf7 Dashboard
  2. Navigate to Settings
  3. Your API key is displayed under API Key
Automated Key Rotation: For security, your API key is automatically rotated every 7 days. You will receive an email warning 24 hours before rotation, and a confirmation email with your new key once rotated. Your old key remains valid for a 24-hour grace period after rotation.
Keep your API key secret. Anyone with your key has full access to your projects, keys, and source code. Never expose it in client-side code, public repositories, or Discord messages.

Using your API key

Include your API key as a Bearer token in the Authorization header of every request.
Always include a trailing slash at the end of your API endpoints (e.g., /projects/ instead of /projects) to ensure optimal performance and avoid redirect overhead.
curl -X GET https://api.leaf7.fun/api/vendor/projects/ \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"

import requests

API_KEY = "your-api-key-here"
BASE_URL = "https://api.leaf7.fun"

headers = {
    "Authorization": f"Bearer {API_KEY}",
    "Content-Type": "application/json"
}

# Note the trailing slash at the end of the URL
response = requests.get(f"{BASE_URL}/api/vendor/projects/", headers=headers)
print(response.json())

Error responses

If your API key is missing or invalid, you’ll receive: 
{
    "detail": "Not authenticated"
}
with HTTP status code 401 or 403.

Rate limits

ScopeLimitWindow
Global60 requestsPer minute
Key generation30 requestsPer minute
Webhook relay30 requestsPer minute
Exceeding rate limits returns a 429 Too Many Requests response. Back off and retry after the window resets.