diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000000..3e8f414069
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,25 @@
+# gitleaks config — element-x-ada
+#
+# Element X is a Matrix client (fork). Patterns flagged are all
+# public-by-design or doc fixtures:
+#  - PostHog apiKey: client-side analytics token, public on every PostHog-
+#    integrated mobile app. Identifies the project, doesn't grant write.
+#  - user_signing_key in ElementClassicConnection.kt: KDoc EXAMPLE of what
+#    the response shape looks like, not a live key
+#  - docs/build-logs/*.md: roundtrip-test scratch output
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Public PostHog client keys + Matrix protocol doc examples + build-log scratch"
+paths = [
+    '''docs/build-logs/.*''',
+]
+regexTarget = "line"
+regexes = [
+    # PostHog client API key (public-by-design — ships in every PostHog SDK consumer)
+    '''apiKey\s*=\s*"phc_[A-Za-z0-9_-]{30,}"''',
+    # Matrix protocol JSDoc examples in KDoc comments (the * prefix is the giveaway)
+    '''^\s*\*\s*"user_signing_key"\s*:\s*"''',
+]