Security and Data Privacy

The Speakeasy Platform is built with security and privacy as core development principles. The following sections detail our privacy and security policy for all artifacts such as SDKs, generated and maintained through Speakeasy. The Speakeasy platform uses your company's API specifications to create high quality code that is hosted on Github. The following sections detail key information regarding security features of the Speakeasy platform such as permissions and access.


1) Does the Speakeasy platform access my API or customer data in any way?

Speakeasy does not sit in the API call chain. The Speakeasy platform therefore does not have access to, nor store, your customer data or your API request data in any form.

2) What information about my Company or my users does Speakeasy have access to?

Speakeasy has very little access to data about your employees and users.

For user authorization purposes, Speakeasy stores user login email addresses. We also store limited service usage data e.g. when an SDK generation is run.

3) How does Speakeasy's service work?

Speakeasy is shipped as a verified GitHub Action (opens in a new tab), and therefore runs in your GitHub environment (either in the cloud or on-prem). The GitHub Action accesses your company's API specification, which is a static file describing the API contract -- but this specification is not sent to Speakeasy.

It's worth noting that this API specification is often made public and/or is sent to 3rd party vendors to generate API documentation.

4) Do I need to login to the hosted Speakeasy Platform to use the service?

Yes, using the Speakeasy Platform requires logging in through one of our supported provided authentication providers. However this is only to request an API key (known commonly in the documentation as a SPEAKEASY_API_KEY). Once that key is obtained and stored, all features of the platform can be accessed directly through the Command Line Interface (CLI).

5) Can Speakeasy be run in an air-gapped environment?

Yes. Sending metadata on usage to Speakeasy can be disabled upon request. Please reach out to for more information.

6) Does Speakeasy store package manager secrets?

No. We do not store any package manager secrets. We use these secrets to publish SDKs on your behalf. They are stored as secrets on your Github repository and are only viewable to members of your Github organisation. Publishing to package managers using Speakeasy is optional.

Customer Hosted

Info Icon


The following guidance refers only to artifacts hosted on behalf of the customer in their own Github organisation and NOT those in Speakeasy's Github organisation: speakeasy-sdks

When an artifact, like a SDK, is generated through Speakeasy it may be hosted on Github within a repository in your own Github organisation (eg: Our service is provided through a CLI which is distributed as Go binary accessible through various package managers like Homebrew and Chocolatey. Code is generated in one of two ways:

  1. Locally through developer's using the Speakeasy CLI.
  2. On infrastructure local to your organisation's Github account known as "Github Runners".

If they are created in this manner then the following permissions are requested by our workflows on your Github repository. These permissions are self-documenting in Github workflow files as can be seen here (opens in a new tab). Here is a snippet from a Github workflow file that we create and maintain inside of your SDK repository.

checks: write
contents: write
pull-requests: write
statuses: write

This indicates we request WRITE permission on checks, contents, pull-requests and statuses features of your repository. We will respect any permissions inherited from top level permissions set on the Github organisation.

Speakeasy Hosted

Info Icon


The following guidance refers only to artifacts hosted on behalf of the customer Speakeasy's Github organisation: speakeasy-sdks

Speakeasy Hosted artifacts follow the same set of security guidelines and permissions as Customer Hosted artifacts. The only difference is they are created in a Github organisation owned by Speakeasy (opens in a new tab).

Code Security and Privacy

CLI Events

The Speakeasy CLI submits events to the Speakeasy platform to track things like errors, usage, and other telemetry data. This data is used to track and resolve issues, identify trends, and improve the Speakeasy platform. The CLI commands that currently send telemetry data are speakeasy run and speakeasy generate and the data points they send are as follows:

Data pointDescription
CustomerIDa unique string identifying a specific customer account
WorkspaceIDa unique string identifying a specific customer workspace
Languagethe name of the target language ie "go", "python", "typescript"
Templatethe name of the template folder to use for the target ie "go", "typescriptv2", "javav2"
RunLocationwhether the generation is running in a terminal (cli) or a GitHub action (action)
GenVersionthe specific generator version a given language is being created with
CLIVersionthe specific CLI version that is being used
FeatureTrackinga list of generator features that a language generator is or is not using
ConfigTrackinga list of configuration values being used to generate the language
GenIgnoreUsedif a generation action is using a .genignore file or not. Full Docs (opens in a new tab)

3rd Party Dependencies

  • 3rd party code dependencies - All SDKs generated by Speakeasy use minimal to no 3rd party dependencies. Please see the language-specific design pages for more information
  • All tokens stored as GitHub secrets - Publishing tokens such as those used for npm or PyPI or stored as Github Action Secrets (opens in a new tab). Speakeasy's Github workflows will use these tokens to publish SDK packages to package managers on behalf of the customer, but will never export or have plain text access to these tokens

Code Ownership

  • All code generated by Speakeasy is owned by the customer. Speakeasy licenses code with the MIT open source License (opens in a new tab) by default. This can be altered by the owner of the SDK at any time after generation.
  • Authentication with Speakeasy platform - When the Speakeasy code generator is invoked it authenticates with the Speakeasy platform using a Github secret named SPEAKEASY_API_KEY. This token is an opaque token that authenticates each generation run with a workspace in our platform. This enables us to collect metadata on generations on a per customer basis. Metadata does not include generated code or the raw API specification.

Found a bug or vulnerability?

Think you may have found a security bug? We'd be happy to work with you to explore and resolve the issue -- and to ensure you are fairly rewarded. Rewards will be based on severity, per CVSS (Common Vulnerability Scoring Standard (opens in a new tab)). Get in touch with us at to learn more.


Please don't hesitate to reach out to us at for any questions on the above!