API Tokens

Flaggr uses scoped API tokens for authenticating SDK and direct API requests.

Token Types

Project API Tokens

Project-scoped tokens for SDK and API access. Created in the project settings dashboard.

Authorization: Bearer flg_proj_xxxxxxxxxx

User JWT Tokens

Short-lived tokens issued during user authentication. Used by the dashboard and admin APIs.

Token Scopes

Creating Tokens

Via Dashboard

1. Navigate to Project Settings > API Tokens
2. Click Create Token
3. Select the required scopes
4. Copy the token immediately (it won't be shown again)

Via API

curl -s -X POST https://flaggr.dev/api/projects/proj-1/tokens \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "production-reader",
    "scopes": ["read"],
    "expiresIn": "90d"
  }' | jq
 
# Response includes the token value — save it immediately
# {
#   "token": { "id": "tok_...", "name": "production-reader", ... },
#   "value": "flg_proj_xxxxxxxxxxxxxxxxxxxx"
# }

Verifying a Token

After creating a token, verify it works by evaluating a flag.

curl -s https://flaggr.dev/api/flags/evaluate \
  -H "Authorization: Bearer flg_proj_xxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"flagKey":"checkout-v2","serviceId":"web-app"}' | jq

Token Rotation

Tokens can be rotated without downtime:

1. Create a new token with the same scopes
2. Update your application configuration
3. Delete the old token

Revoking Tokens

curl -s -X DELETE https://flaggr.dev/api/projects/proj-1/tokens/tok_old_token_id \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -H "X-CSRF-Token: $CSRF_TOKEN"

Security Best Practices

• Use read-only tokens for client-side SDKs
• Set expiration dates on all tokens
• Rotate tokens regularly (every 90 days recommended)
• Never commit tokens to version control
• Use environment variables for token storage
• Use separate tokens per service/environment