Security and data privacy

The Speakeasy platform is built with security and privacy as core development principles. Using your company’s API specifications, the Speakeasy platform creates high-quality code hosted on GitHub.

The following sections detail our privacy and security policy for all artifacts generated and maintained through Speakeasy, such as SDKs, as well as key information regarding security features like permissions and access.

FAQ

Do I need to install something?
Does the Speakeasy platform access my API or customer data in any way?
What information about my company or users does Speakeasy have access to?
How does the Speakeasy service work?
Do I need to log in to the Speakeasy platform to use the service?
Can Speakeasy be run in an air-gapped environment?
Does Speakeasy store package manager secrets?
What are Speakeasy’s data storage policies?

Do I need to install something?

The Speakeasy CLI (opens in a new tab) is a command-line interface (CLI) that facilitates the creation of SDKs, Terraform providers, Postman collections, and documentation.

Written in Go and fully open source (opens in a new tab), the CLI is compiled into binaries for easy customer use.

Typically, the CLI is used within a customer’s continuous integration/continuous deployment (CI/CD) workflow as part of the standard engineering and development flow. For most customers, this means installing the CLI as a GitHub Action in GitHub. If a customer doesn’t use GitHub, the CLI can be installed on whichever system, server, or cloud environment the customer uses.

Does the Speakeasy platform access my API or customer data in any way?

Speakeasy does not sit in the API call chain. Therefore, the Speakeasy platform does not have access to or store your customer data or API request data in any form.

What information about my company or users does Speakeasy have access to?

Speakeasy has very little access to data about your employees and users.

For user authorization purposes, Speakeasy stores user login email addresses. Speakeasy also stores limited service usage data, for example, the times at which an SDK generation is run.

How does the Speakeasy service work?

Speakeasy is shipped as a verified GitHub Action (opens in a new tab) and runs in your GitHub environment (either in the cloud or on-premises). The GitHub Action accesses your company’s API specification, which is a static file describing the API contract, but this specification is not sent to Speakeasy.

It’s worth noting that this API specification is often made public and/or sent to third-party vendors to generate API documentation.

Do I need to log in to the Speakeasy platform to use the service?

Yes, using the Speakeasy platform requires you to log in through one of our supported authentication providers. However, this is only to request an API key (referred to in documentation as a SPEAKEASY_API_KEY). Once that key is obtained and stored, all features of the platform can be accessed directly via the CLI.

Can Speakeasy be run in an air-gapped environment?

Yes, the sending of usage metadata to Speakeasy can be disabled on request. Please reach out to info@speakeasy.com for more information.

Does Speakeasy store package manager secrets?

No, Speakeasy does not store any package manager secrets. Speakeasy uses these secrets to publish SDKs on your behalf. Package manager secrets are stored as secrets in your GitHub repository and are only viewable to members of your GitHub organization. Using Speakeasy to publish to package managers is optional.

What are Speakeasy’s data storage policies?

Speakeasy stores:

• Email addresses used to log in to the Speakeasy platform.
• Metadata on SDK generation runs, specifically the date and time an SDK was generated, the language it was generated in, the version of the specification used, and the error details for any errors that occurred.
• Point-in-time snapshots of API specifications for comparing changes to an API specification over time.

Speakeasy DOES NOT store:

• Any customer-generated code, unless specifically configured in a Speakeasy-hosted repository.

Customer-hosted repositories

Note

The following guidance refers to artifacts hosted in the Speakeasy GitHub organization, speakeasy-sdks, on behalf of the customer.

A Speakeasy-created artifact (like an SDK) can be hosted on GitHub in a repository in your GitHub organization (for example, www.github.com/yourcompany/sdk).

The Speakeasy service is provided through the Speakeasy CLI, which is distributed as a Go binary and accessible through various package managers like Homebrew and Chocolatey.

Speakeasy generates code in one of two ways:

1. Locally, using the Speakeasy CLI on a developer’s machine.
2. On infrastructure connected to your organization’s GitHub account, using “GitHub runners”.

Artifacts created in either of these ways will require certain permissions to be granted to Speakeasy workflows in your GitHub repository. These permissions are self-documenting in GitHub workflow files, as illustrated here (opens in a new tab).

The following snippet is from the GitHub workflow file that Speakeasy creates and maintains in your SDK repository:

permissions:
  checks: write
  contents: write
  pull-requests: write
  statuses: write

Here, Speakeasy requests write permission on checks, contents, pull-requests, and statuses in your repository. Speakeasy will respect any permissions inherited from the top-level settings of the GitHub organization.

Speakeasy-hosted repositories

Note

The following guidance refers to artifacts hosted on behalf of the customer in the Speakeasy GitHub organization, speakeasy-sdks.

Speakeasy-hosted artifacts are created in the speakeasy-sdks GitHub organization (opens in a new tab) owned by Speakeasy. These artifacts follow the same set of security guidelines and permissions as customer-hosted artifacts.

Code security and privacy

CLI events

The Speakeasy CLI submits events to the Speakeasy platform to monitor errors, usage, and other telemetry data. This data is used to track and resolve issues, identify trends, and improve the Speakeasy platform.

The CLI commands that currently send telemetry data are speakeasy run and speakeasy generate. The data points these commands send are as follows:

Third-party dependencies

• Third-party code dependencies: All Speakeasy-created SDKs use minimal to no third-party dependencies. Please see the language-specific design pages for more information.
• All tokens stored as GitHub secrets: Publishing tokens, such as those used for npm or PyPI, are stored as GitHub Actions secrets (opens in a new tab). The Speakeasy GitHub workflows use these tokens to publish SDK packages to package managers on behalf of the customer, but will never export or have plain-text access to these tokens.

Code ownership

• All code generated by Speakeasy is owned by the customer. Speakeasy licenses code with the open source MIT License (opens in a new tab) by default. The license can be altered by the owner of the SDK at any time after generation.
• Authentication with the Speakeasy platform: When the Speakeasy code generator is invoked, the generation is authenticated with the Speakeasy platform using a GitHub secret named SPEAKEASY_API_KEY. This is an opaque token that authenticates each generation run with a workspace on the platform, enabling Speakeasy to collect metadata on generations on a per-customer basis. This metadata does not include generated code or the raw API specification.

Found a bug or vulnerability?

Think you may have found a security bug? We’d be happy to work with you to explore and resolve the issue - and ensure you are fairly rewarded. Rewards will be based on severity, as per the Common Vulnerability Scoring System (opens in a new tab). Get in touch with us at bugs@speakeasy.com to learn more.

Questions?

Please don’t hesitate to reach out to us at info@speakeasy.com with any questions you have about the information contained on this page.