Security and Data Privacy

The Speakeasy platform is built with security and privacy as core development principles. Using your company’s API specifications, the Speakeasy platform creates high-quality code hosted on GitHub.

The following sections detail our privacy and security policy for all artifacts generated and maintained through Speakeasy, such as SDKs, as well as key information regarding security features like permissions and access.

FAQ

Do I need to install something?
Does the Speakeasy platform access my API or customer data in any way?
What information about my company or users does Speakeasy have access to?
How does the Speakeasy service work?
Do I need to log in to the Speakeasy platform to use the service?
Can Speakeasy be run in an air-gapped environment?
Does Speakeasy store package manager secrets?
What are Speakeasy’s data storage policies?

Do I need to install something?

The Speakeasy CLI (opens in a new tab) facilitates the creation of SDKs, Terraform providers, Postman collections, and documentation.

Written in Go and fully open source (opens in a new tab), the CLI is compiled into binaries for easy customer use.

Typically, the CLI is used within a customer’s CI/CD (“continuous integration/continuous deployment”) workflow as part of the standard engineering and development flow. For most customers, this means installing the CLI as a GitHub action in GitHub. If a customer doesn’t use GitHub, the CLI can be installed in whichever system, servers, or cloud environment the customer uses.

Does the Speakeasy platform access my API or customer data in any way?

Speakeasy does not sit in the API call chain. Therefore, the Speakeasy platform does not have access to or store your customer data or API request data in any form.

What information about my company or users does Speakeasy have access to?

Speakeasy has very little access to data about your employees and users.

For user authorization purposes, Speakeasy stores user login email addresses. Speakeasy also stores limited service usage data, for example, when an SDK generation is run.

How does the Speakeasy service work?

Speakeasy is shipped as a verified GitHub Action (opens in a new tab) and runs in your GitHub environment (either in the cloud or on-prem). The GitHub Action accesses your company’s API specification, which is a static file describing the API contract, but this specification is not sent to Speakeasy.

It’s worth noting that this API specification is often made public and/or sent to third-party vendors to generate API documentation.

Do I need to log in to the Speakeasy platform to use the service?

Yes, using the Speakeasy platform requires logging in through one of our supported authentication providers. However, this is only to request an API key (referred to in documentation as a SPEAKEASY_API_KEY). Once that key is obtained and stored, all features of the platform can be accessed directly through the command line interface (CLI).

Can Speakeasy be run in an air-gapped environment?

Yes. Sending metadata on usage to Speakeasy can be disabled on request. Please reach out to info@speakeasyapi.dev for more information.

Does Speakeasy store package manager secrets?

No, Speakeasy does not store any package manager secrets. Speakeasy uses these secrets to publish SDKs on your behalf. Package manager secrets are stored as secrets on your GitHub repository and are only viewable to members of your GitHub organization. Publishing to package managers using Speakeasy is optional.

What are Speakeasy’s data storage policies?

Speakeasy stores:

  • Email addresses used to log in to the Speakeasy platform.
  • Metadata on SDK generation runs, specifically, when an SDK is generated, the language it is generated in, the version of the specification used, the time it is generated, and error details if any occur.
  • Point-in-time snapshots of API specifications to compare changes in the API specification over time.

Speakeasy DOES NOT store:

  • Any customer-generated code, unless specifically configured in a Speakeasy-hosted repository.

Customer-Hosted Repositories

Info Icon

Note

The following guidance refers to artifacts hosted in the Speakeasy GitHub organization, speakeasy-sdks, on behalf of the customer.

A Speakeasy-created artifact (like an SDK) can be hosted on GitHub in a repository in your GitHub organization (for example, www.github.com/yourcompany/sdk).

The Speakeasy service is provided through a CLI that is distributed as a Go binary and accessible through various package managers like Homebrew and Chocolatey.

Speakeasy generates code in one of two ways:

  1. Locally, using the Speakeasy CLI on a developer’s machine.
  2. On infrastructure connected to your organization’s GitHub account, using “GitHub Runners”.

Artifacts created in either of these ways will require certain permissions to be granted to Speakeasy workflows on your GitHub repository. These permissions are self-documenting in GitHub workflow files, as illustrated here (opens in a new tab).

The following snippet is from the GitHub workflow file that Speakeasy creates and maintains in your SDK repository:

permissions:
checks: write
contents: write
pull-requests: write
statuses: write

Here, Speakeasy requests write permission on checks, contents, pull-requests, and statuses in your repository. Speakeasy will respect any permissions inherited from the top-level settings of the GitHub organization.

Speakeasy-Hosted Repositories

Info Icon

Note

The following guidance refers to artifacts hosted on behalf of the customer in the Speakeasy GitHub organization, speakeasy-sdks.

Speakeasy-hosted artifacts are created in the https://github.com/speakeasy-sdks GitHub organization (opens in a new tab) owned by Speakeasy and follow the same set of security guidelines and permissions as customer-hosted artifacts.

Code Security and Privacy

CLI Events

The Speakeasy CLI submits events to the Speakeasy platform to monitor errors, usage, and other telemetry data. This data is used to track and resolve issues, identify trends, and improve the Speakeasy platform.

The CLI commands that currently send telemetry data are speakeasy run and speakeasy generate. The data points these commands send are:

Data PointDescription
CustomerIDA unique string identifying a specific customer account
WorkspaceIDA unique string identifying a specific customer workspace
LanguageThe name of the target language, for example, go, python, or typescript
TemplateThe name of the template folder to use for the target, for example, go, typescriptv2, or javav2
RunLocationWhether the generation runs in a terminal (cli) or GitHub action (action)
GenVersionThe specific generator version used
CLIVersionThe specific CLI version used
FeatureTrackingA list of features the generator does or does not use
ConfigTrackingA list of configuration values the generator uses
GenIgnoreUsedWhether or not a generation action uses a .genignore file, read more in the .genignore docs

Third-Party Dependencies

  • Third-party code dependencies - All Speakeasy-created SDKs use minimal to no third-party dependencies. Please see the language-specific design pages for more information.
  • All tokens stored as GitHub secrets - Publishing tokens, such as those used for npm or PyPI, are stored as GitHub Actions secrets (opens in a new tab). The Speakeasy GitHub workflows use these tokens to publish SDK packages to package managers on behalf of the customer, but will never export or have plain text access to these tokens.

Code Ownership

  • All code generated by Speakeasy is owned by the customer. Speakeasy licenses code with the open-source MIT License (opens in a new tab) by default. The license can be altered by the owner of the SDK at any time after generation.
  • Authentication with the Speakeasy platform - When the Speakeasy code generator is invoked, it authenticates with the Speakeasy platform using a GitHub secret named SPEAKEASY_API_KEY. This is an opaque token that authenticates each generation run with a workspace in the platform, enabling Speakeasy to collect metadata on generations on a per-customer basis. Metadata does not include generated code or the raw API specification.

Found a Bug or Vulnerability?

Think you may have found a security bug? We’d be happy to work with you to explore and resolve the issue — and ensure you are fairly rewarded. Rewards will be based on severity, per CVSS (Common Vulnerability Scoring Standard (opens in a new tab)). Get in touch with us at bugs@speakeasyapi.dev to learn more.

Questions?

Please don’t hesitate to reach out to us at info@speakeasyapi.dev for any questions you have about the information contained on this page.