1. Home
  2. Authentication

Flipt supports the ability to secure its core API routes.

Flipt authentication is disabled (not required) by default.

Head to the Configuration: Authentication section to enable it.

Once enabled, all routes beneath the following API prefixes will require a client token in order to authenticate requests:

  • /api/v1/
  • /auth/v1/

Client Tokens

Client tokens are the core credential required to authenticate a request. Tokens themselves are acquired via authentication methods.

Flipt will ultimately support multiple authentication methods, however only the token authentication method is supported as of now.

Once a client token has been acquired, it can be supplied via request metadata dependent on the protocol (HTTP or gRPC).


For HTTP the Authorization: Bearer <client-token> header is used to present the client token.



For gRPC we use the Metadata functionality similarly to HTTP Headers. The lower-case authorization metadata key should be supplied with a single string Bearer <client-token> to any RPC calls.

Example (in Go):

The following example authenticates a single gRPC client request:

This subsequent example demonstrates using a client unary interceptor, which authenticates all outgoing requests:

Authentication Methods

See Configuration: Authentication Methods for details on how to configure the various authentication methods.


When token method is enabled and no tokens exist in the backing store, an initial token is created and logged in Flipt’s server output.

The token authentication method supports statically creating authentication tokens.

Once enabled, the /auth/v1/method/token API prefix is mounted to Flipt’s API. This section of the API supports the creation of static tokens.

Example: Token Creation

The following curl command creates a static token with no expiration. Given authentication is set to required then a prior client token will be required to perform this action.