Authentication

Browser sessions, live API keys, publishable keys, and webhook secrets.

Authentication

LittleDemo has four authentication paths. Pick the narrowest one that fits the job.

Dashboard sessions

The dashboard uses your signed-in browser session. You do not need to pass headers when using the app itself.

Live API keys

Live keys are for trusted server-side code, local scripts, and CI. They can create projects, generate demos, refresh demos, and manage account resources.

bash
curl https://littledemo.com/api/v1/projects \  -H "Authorization: Bearer ld_live_xxx"

The X-API-Key header also works:

bash
curl https://littledemo.com/api/v1/projects \  -H "X-API-Key: ld_live_xxx"

Keep live keys out of browsers, public repos, mobile apps, and docs snippets copied from production.

Publishable keys

Publishable keys are for dynamic embeds. They start with ld_pub_, can be scoped to a project, and should have an allowed-domain list.

html
<script  src="https://littledemo.com/sdk.js"  data-littledemo-key="ld_pub_xxx"></script>

Use publishable keys only where browser exposure is expected.

Webhook secrets

Project webhook secrets are for refresh endpoints called from CI/CD systems.

bash
curl -X POST https://littledemo.com/api/v1/webhooks/projects/proj_abc123/refresh \  -H "X-Webhook-Secret: whsec_xxx"

Webhook secrets are project-scoped. Rotate them if they are printed in logs or copied into the wrong environment.

Was this page helpful?

Previous Quickstart

Next How it works