Install · CDN

Load the SDK from cdn.ledrapay.com

Immutable versioned bundles with published SRI hashes, mutable channel aliases for automatic updates, and a gated enterprise tier for private channels. All public paths serve Access-Control-Allow-Origin: * — module scripts load cross-origin from any site.

Channels

Pick how you track releases

URLMutabilityCacheUse when
/v1.4.1/ledrapay-components.jsImmutable — never changes1 year, immutableProduction. Pin + SRI, upgrade deliberately.
/v1/ledrapay-components.jsTracks latest v1.x5 minStaging, docs, demos that should stay current within a major.
/latest/ledrapay-components.jsTracks newest release5 minInternal tools only — may cross majors.
/versions.jsonIndex60 sDiscover available versions + current channel targets.
/v1.4.1/manifest.jsonImmutable60 sBytes, sha256, and the SRI integrity value for that version.

Production snippet

Exact version + SRI

<script type="module" crossorigin="anonymous"
  src="https://cdn.ledrapay.com/v1.4.1/ledrapay-components.js"
  integrity="sha384-bA29z2NmjHLR7X8VfOOjnU89A7PfjHO8AEG9vO2i/1TNOohqHkeHh8dOLMn+IbFC"></script>

The integrity value for any version is in that version's manifest.json.

Never pin integrity to a channel alias (/v1/, /latest/). Alias bytes change on every release, which would hard-fail your pages. SRI is for exact-version URLs only.

CSP: add script-src https://cdn.ledrapay.com (and connect-src https://api.ledrapay.com if you use the direct API topology).

Enterprise tier

Private channels: signed URLs or distribution tokens

Early builds and customer-specific channels are served from /enterprise/<channel>/… and require one of two credentials, checked at the edge of our CDN:

# Signed URL — short-lived, we mint it for you (or your backend does, with a shared signing key)
https://cdn.ledrapay.com/enterprise/acme/v1.4.1/ledrapay-components.js?exp=1783600000&sig=9f2c…

# Distribution token — long-lived, per-customer, revocable. Header (CI/servers):
curl -H "Authorization: Bearer ldst_…" https://cdn.ledrapay.com/enterprise/acme/latest/ledrapay-components.js
# …or query param where headers aren't possible (script tags):
<script type="module" src="https://cdn.ledrapay.com/enterprise/acme/latest/ledrapay-components.js?token=ldst_…"></script>
ResponseMeaning
401 signature_or_token_requiredNo credential presented.
403 url_expiredSigned URL past its exp — mint a fresh one.
403 bad_signatureSignature doesn't match the path — check for URL rewriting.
403 invalid_distribution_tokenToken revoked, or valid for a different channel.

Tokens are scoped to exactly one channel and revocable at any time. Enterprise responses are no-store — nothing lingers in shared caches. To get a channel or a token, contact us.

Remember the layered model: gating the file is an enterprise distribution control, not the product's security. Even a public bundle is inert without a valid, origin-bound embed token — the enforcement lives in the API. See the embedding guide.