- Overview
This document describes how to enable and use authentication with Flipt.
Flipt supports the ability to secure its core API routes.
Flipt authentication is disabled (not required) by default.
Head to the Configuration: Authentication section to enable it.
Once enabled, all routes beneath the following API prefixes will require a client token in order to authenticate requests:
/api/v1/
/auth/v1/
/meta
The following URLs are not protected by authentication:
/debug
/metrics
/health
They are currently unprotected to support backwards compatibility. We’re exploring ways to support protecting these endpoints going forward. For now, we recommened excluding these API prefixes from your load-balancer.
Client Tokens
Client tokens are the core credential required to authenticate a request. Tokens themselves are acquired via authentication methods.
Flipt currently supports two authentication methods for acquiring credentials:
Once a client token
has been acquired, it can be supplied via request metadata dependent on the protocol. Both HTTP and gRPC examples can be found on the Using Client Tokens page.