1. Overview

Flipt supports the ability to secure its core API routes.

Flipt authentication is disabled (not required) by default.

Head to the Configuration: Authentication section to enable it.

Once enabled, all routes beneath the following API prefixes will require a client token in order to authenticate requests:

  • /api/v1/
  • /auth/v1/
  • /meta

The following URLs are not protected by authentication:

  • /debug
  • /metrics
  • /health

They are currently unprotected to support backwards compatibility. We’re exploring ways to support protecting these endpoints going forward. For now, we recommened excluding these API prefixes from your load-balancer.

Client Tokens

Client tokens are the core credential required to authenticate a request. Tokens themselves are acquired via authentication methods.

Flipt currently supports two authentication methods for acquiring credentials:

  1. Static Token
  2. OIDC

Once a client token has been acquired, it can be supplied via request metadata dependent on the protocol. Both HTTP and gRPC examples can be found on the Using Client Tokens page.