LeadPanther API Authentication

LeadPanther API v1 is currently available by approved API key. API keys are bearer tokens. Keep them server-side and never expose them in browser code.

Base URL:

https://app.leadpanther.ai/api/v1

Authorization Header

Send the API key in the Authorization header:

Authorization: Bearer lp_live_REDACTED

Supported key prefixes are:

lp_live_
lp_test_

Do not put API keys in query strings, browser code, mobile app bundles, logs, public repositories, issue trackers, or shared screenshots.

Check Your Key

Use GET /me to inspect the authenticated API subject.

Required scope: valid API key

curl "https://app.leadpanther.ai/api/v1/me" \
  -H "Authorization: Bearer lp_live_REDACTED"

Example direct-user response:

{
  "data": {
    "owner": {
      "user_id": "00000000-0000-4000-8000-000000000001",
      "full_name": "Client A",
      "business_name": "Client A Company",
      "account_status": "active"
    },
    "actor_type": "direct_user",
    "scopes": ["posts:read", "posts:write"],
    "subject": {
      "user_id": "00000000-0000-4000-8000-000000000001"
    }
  },
  "request_id": "req_000000000000000000000001"
}

Example agency response:

{
  "data": {
    "owner": {
      "user_id": "00000000-0000-4000-8000-000000000010",
      "full_name": "Example Agency Owner",
      "business_name": "Example Agency",
      "account_status": "active"
    },
    "actor_type": "agency",
    "scopes": ["clients:read", "posts:read", "posts:write"],
    "subject": {
      "user_id": "00000000-0000-4000-8000-000000000010"
    }
  },
  "request_id": "req_000000000000000000000002"
}

Public examples are redacted. Do not expose real owner IDs, client IDs, emails, API keys, key hashes, or production identifiers.

Scopes

Every scoped endpoint requires one specific scope. The * scope satisfies any required scope.

Scope	Allows
`clients:read`	List and retrieve accessible client accounts
`posts:read`	List and retrieve posts
`posts:write`	Create, update, and delete eligible posts
`lead_magnets:read`	List and retrieve lead magnets
`lead_magnets:write`	Create, update, and archive lead magnets
`media:write`	Create media upload URLs and delete owned uploaded media
`analytics:read`	Read post engagement and lead magnet analytics
`leads:read`	List leads
`activity:read`	List inbound activity
`webhooks:write`	Reserved for planned webhook functionality
`*`	Satisfies any required scope

clients:read does not authorize posts, leads, lead magnets, media, or analytics by itself. For example, listing client posts requires posts:read; creating client posts requires posts:write.

Actor Types

API keys resolve to one of these actor types:

direct_user: acts on the API key owner's account when using direct routes.
agency: can act for client accounts only through nested client routes and active agency-client grants.

Direct-user routes:

/posts
/lead-magnets
/leads
/activity

Agency client routes:

/clients/{clientId}/posts
/clients/{clientId}/lead-magnets
/clients/{clientId}/leads
/clients/{clientId}/activity

If the user says they are posting for a client, use /clients/{clientId}/posts, not /posts.

Request IDs

You may send an optional request ID:

X-Request-Id: req_custom_0001

Accepted request ID values are 1 to 128 characters and may include letters, numbers, ., _, :, and -.

LeadPanther returns the request ID in the X-Request-Id response header and the response body:

{
  "data": {},
  "request_id": "req_custom_0001"
}

Use the response request_id when contacting LeadPanther support about an API call.

Auth Errors

Missing, malformed, or invalid API keys return an authentication error:

{
  "error": {
    "code": "unauthorized",
    "message": "Missing or invalid API key."
  },
  "request_id": "req_000000000000000000000003"
}

Missing scopes return a forbidden error:

{
  "error": {
    "code": "forbidden",
    "message": "API key is missing a required scope."
  },
  "request_id": "req_000000000000000000000004"
}

For agency calls, a 403 can also mean the agency does not have an active grant for the target client account. Check both the API key scope and the agency-client grant.

Security Notes

Keep API keys server-side.
Rotate keys if they are exposed.
Use only the scopes an integration needs.
Treat leads:read responses as personal data.
Treat activity:read responses as message/comment content that may include platform identifiers.
Treat media upload upload_url and token values as short-lived sensitive values.

Rate limits are not yet a published contract. Idempotency keys are planned, not currently guaranteed. Webhook endpoints and generated SDKs are planned, not currently available.