Docs SuppliersSupplier API Key Setup

Supplier API Key Setup

Q: Where do I find a Lead Distro AI supplier's API key?

On the supplier's detail page — the API Key field shows a masked value with Reveal and Copy buttons. The key is auto-generated when you create the supplier and remains stable until you delete the supplier or rotate it. Each supplier has a dedicated API Specs page at `/api-specs/ / ` with copy-paste integration examples.

Generate, rotate, and secure Lead Distro AI supplier API keys. Authentication header format, key compromise recovery, IP allowlisting, and FAQs.

Last updated: May 22, 2026

What is the Supplier API Key?

Every supplier gets a unique API key auto-generated on creation. The key authenticates the supplier when posting leads to the ingest API — without a valid key, requests are rejected with HTTP 401. Each key is scoped to one supplier; one supplier's key can't post leads on behalf of another.

Where to Find the Key

Open the supplier's detail page in the Lead Distro AI dashboard.
Find the API Key field — it shows a copy button next to the masked key.
Click Reveal to see the full key, Copy to copy to clipboard.
Each supplier also has a dedicated API Specs page at `/api-specs//` with copy-paste curl examples — share this with the supplier's developer.

Using the Key

Pass the key in the `x-api-key` HTTP header on every POST to the ingest endpoint:

curl -X POST https://app.leaddistro.ai/api/v1/ingest \
  -H "Content-Type: application/json" \
  -H "x-api-key: sk_supplier_abc123xyz789" \
  -d '{ "flo_campaign_id": "...", "flo_supplier_id": "...", ... }'

Key Security

Never expose keys in client-side code — keys must stay server-side. Browser-visible keys can be extracted and abused.
Never commit keys to public repos — even private repos should use environment variables, not hard-coded values.
Rotate keys when a developer leaves — same hygiene as any production credential.
Treat each supplier's key as separate — don't reuse keys across suppliers; per-supplier keys make audit + revocation surgical.

Rotating a Compromised Key

If you suspect a key is compromised, the safest path is to delete the supplier and create a new one — Lead Distro AI generates a fresh key on creation and the old key is invalidated immediately. Update the supplier's integration with the new key.

Avoid in-place key rotation for high-volume suppliers — there's a window where both old and new keys may be in use as the supplier updates their integration. Delete-and-recreate is cleaner: the old key dies instantly, the supplier knows they need to update before traffic can resume.

Frequently Asked Questions

Where do I find a Lead Distro AI supplier's API key?

On the supplier's detail page — the API Key field shows a masked value with Reveal and Copy buttons. The key is auto-generated when you create the supplier and remains stable until you delete the supplier or rotate it. Each supplier has a dedicated API Specs page at `/api-specs//` with copy-paste integration examples.

Can a single supplier API key authenticate multiple campaigns?

Yes — but only campaigns the supplier is explicitly attached to. The API key authenticates the supplier; the `flo_campaign_id` in the request body specifies which campaign to route the lead into. Supplying a campaign_id the supplier isn't attached to returns 403 `unauthorized`.

What happens if my supplier's API key is compromised?

Delete the supplier from the dashboard — this instantly invalidates the key. Create a new supplier (which generates a fresh key) and update the integration. The brief window of traffic loss during the swap is the safest path; in-place rotation has a longer dual-key window during which an attacker could still post leads with the old key.

Can I restrict which IP addresses can use a supplier's API key?

Not natively in the supplier settings — Lead Distro AI doesn't have per-supplier IP allowlists today. For high-security verticals, route ingest API traffic through a server you control that adds IP-allowlist logic before forwarding to Lead Distro AI's ingest endpoint. Contact support for enterprise-tier IP allowlisting requirements.

What HTTP header carries the API key?

`x-api-key`. Send it on every POST to the ingest endpoint. Other header names like `Authorization: Bearer ...` or `api-key` are not recognized and return 401. The header name is case-insensitive per HTTP spec.

Do API keys expire?

No — keys are valid until you explicitly delete the supplier or the supplier is removed from all campaigns. Rotate manually when needed (developer turnover, security audit, suspected compromise). There's no auto-expiry like OAuth tokens.

Supplier Basics

Configure lead suppliers in Lead Distro AI: API key generation, cost-per-lead tracking, source attribution, ingestion endpoints, and supplier-level reporting for every traffic source.

Lead Ingest API

Complete Lead Distro AI API reference. Ingest leads via REST endpoints with field validation, signed webhooks, authentication, rate limits, and full example requests for every lead distribution endpoint.

Supplier Cost Modes

Lead Distro AI supplier cost modes: Fixed, Variable (Meta Ads), and Revenue Share. How each calculates per-lead cost, when to use which, and FAQs for accurate profit tracking.

If you have any questions, send us an email at support@leaddistro.ai

Supplier Cost Modes Supplier Caps