Install · CDN
Load the SDK from cdn.ledrapay.com
Immutable versioned bundles with published SRI hashes, mutable channel aliases for automatic updates, and a gated enterprise tier for private channels. All public paths serve Access-Control-Allow-Origin: * — module scripts load cross-origin from any site.
Channels
Pick how you track releases
| URL | Mutability | Cache | Use when |
|---|---|---|---|
| /v1.4.1/ledrapay-components.js | Immutable — never changes | 1 year, immutable | Production. Pin + SRI, upgrade deliberately. |
| /v1/ledrapay-components.js | Tracks latest v1.x | 5 min | Staging, docs, demos that should stay current within a major. |
| /latest/ledrapay-components.js | Tracks newest release | 5 min | Internal tools only — may cross majors. |
| /versions.json | Index | 60 s | Discover available versions + current channel targets. |
| /v1.4.1/manifest.json | Immutable | 60 s | Bytes, sha256, and the SRI integrity value for that version. |
Production snippet
Exact version + SRI
<script type="module" crossorigin="anonymous" src="https://cdn.ledrapay.com/v1.4.1/ledrapay-components.js" integrity="sha384-bA29z2NmjHLR7X8VfOOjnU89A7PfjHO8AEG9vO2i/1TNOohqHkeHh8dOLMn+IbFC"></script>
The integrity value for any version is in that version's manifest.json.
integrity to a channel alias (/v1/, /latest/). Alias bytes change on every release, which would hard-fail your pages. SRI is for exact-version URLs only.CSP: add script-src https://cdn.ledrapay.com (and connect-src https://api.ledrapay.com if you use the direct API topology).
Enterprise tier
Private channels: signed URLs or distribution tokens
Early builds and customer-specific channels are served from /enterprise/<channel>/… and require one of two credentials, checked at the edge of our CDN:
# Signed URL — short-lived, we mint it for you (or your backend does, with a shared signing key) https://cdn.ledrapay.com/enterprise/acme/v1.4.1/ledrapay-components.js?exp=1783600000&sig=9f2c… # Distribution token — long-lived, per-customer, revocable. Header (CI/servers): curl -H "Authorization: Bearer ldst_…" https://cdn.ledrapay.com/enterprise/acme/latest/ledrapay-components.js # …or query param where headers aren't possible (script tags): <script type="module" src="https://cdn.ledrapay.com/enterprise/acme/latest/ledrapay-components.js?token=ldst_…"></script>
| Response | Meaning |
|---|---|
| 401 signature_or_token_required | No credential presented. |
| 403 url_expired | Signed URL past its exp — mint a fresh one. |
| 403 bad_signature | Signature doesn't match the path — check for URL rewriting. |
| 403 invalid_distribution_token | Token revoked, or valid for a different channel. |
Tokens are scoped to exactly one channel and revocable at any time. Enterprise responses are no-store — nothing lingers in shared caches. To get a channel or a token, contact us.