Security and Data Privacy

The Speakeasy Platform is built with security and privacy as core development principles. The following sections detail our privacy and security policy for all artifacts such as SDKs, generated and maintained through Speakeasy. The Speakasy platform uses your company's API specifications to create high quality code that is hosted on Github. The following sections detail key information regarding security features of the Speakeasy platform such as permissions and access.

FAQ

1) Does the Speakeasy platform access my API or customer data in any way?

Speakeasy does not sit in the API call chain. The Speakeasy platform therefore does not have access to, nor store, your customer data or your API request data in any form.

2) What information about my Company or my users does Speakeasy have access to?

Speakeasy has very little access to data about your employees and users.

For user authorization purposes, Speakeasy stores user login email addresses. We also store limited service usage data e.g. when an SDK generation is run.

3) How does Speakeasy's service work?

Speakeasy is shipped as a verified GitHub Action (opens in a new tab), and therefore runs in your GitHub environment (either in the cloud or on-prem). The GitHub Action accesses your company's API specification, which is a static file describing the API contract -- but this specification is not sent to Speakeasy.

It's worth noting that this API specification is often made public and/or is sent to 3rd party vendors to generate API documentation.

4) Do I need to login to the hosted Speakeasy Platform to use the service?

Yes, using the Speakeasy Platform requires logging in through one of our supported provided authentication providers. However this is only to request an API key (known commonly in the documentation as a SPEAKEASY_API_KEY). Once that key is obtained and stored, all features of the platform can be accessed directly through the Command Line Interface (CLI).

5) Can Speakeasy be run in an airgapped environment?

Yes. Sending metadata on usage to Speakeasy can be disabled upon request. Please reach out to info@speakeasyapi.dev for more information.

6) Does Speakeasy store package manager secrets?

No. We do not store any package manager secrets. We use these secrets to publish SDKs on your behalf. They are stored as secrets on your Github repository and are only viewable to memebers of your Github organisation. Publishing to package managers using Speakeasy is optional.

Customer Hosted

Info Icon

Note

The following guidance refers only to artifacts hosted on behalf of the customer in their own Github organisation and NOT those in Speakeasy's Github organisation: speakeasy-sdks

When an artifact, like a SDK, is generated through Speakeasy it maybe hosted on Github within a repository in your own Github organisation (eg: www.github.com/yourcompany/sdk (opens in a new tab)). Our service is provided through a CLI which is distributed as Go binary accessible through various package managers like Homebrew and Choclatey. Code is generated in one of two ways:

  1. Locally through developer's using the Speakeasy CLI.

  2. On infrastructure local to your organisation's Github account known as "Github Runners".

If they are created in this manner then the following permissions are requested by our workflows on your Github repository. These permissions are self-documenting in Github workflow files as can be seen here (opens in a new tab). Here is a snippet from a Github workflow file that we create and maintain inside of your SDK repository.


permissions:
checks: write
contents: write
pull-requests: write
statuses: write

This indicates we request WRITE permission on checks, contents, pull-requests and statuses features of your repository. We will respect any permissions inherited from top level permissions set on the Github organisation.

Speakeasy Hosted

Info Icon

Note

The following guidance refers only to artifacts hosted on behalf of the customer Speakeasy's Github organisation: speakeasy-sdks

Speakeasy Hosted artifacts follow the same set of security guidelines and permissions as Customer Hosted artifacts. The only difference is they are created in a Github organisation owned by Speakeasy (opens in a new tab).

Code Security and Privacy

3rd Party Dependencies

  • 3rd party code dependencies - All SDKs generated by Speakeasy use minimal to no 3rd party dependencies. Please see the language-specific design pages for more information
  • All tokens stored as GitHub secrets - Publishing tokens such as those used for NPM or PYPI or stored as Github Action Secrets (opens in a new tab). Speakeasy's Github workflows will use these tokens to publish SDK packages to package managers on behalf of the customer, but will never export or have plain text access to these tokens

Code Ownership

  • All code generated by Speakeasy is owned by the customer. Speakeasy licenses code with the MIT open source License (opens in a new tab) by default. This can be altered by the owner of the SDK at any time after generation.
  • Authentication with Speakeasy platform - When the Speakeasy code generator is invoked it authenticates with the Speakeasy platform using a Github secret named SPEAKEASY_API_KEY. This token is an opaque token that authenticates each generation run with a workspace in our platform. This enables us to collect metadata on generations on a per customer basis. Metadata does not include generated code or the raw API specification.

Found a bug or vulnerability?

Think you may have found a security bug? We'd be happy to work with you to explore and resolve the issue -- and to ensure you are fairly rewarded. Rewards will be based on severity, per CVSS (Common Vulnerability Scoring Standard (opens in a new tab)). Get in touch with us at bugs@speakeasyapi.dev to learn more.

Questions?

Please don't hesitate to reach out to us at info@speakeasyapi.dev for any questions on the above!