Flipt supports the ability to secure its core API routes.
Flipt authentication is disabled (not required) by default.
Head to the Configuration: Authentication section to enable it.
Once enabled, all routes beneath the following API prefixes will require a client token in order to authenticate requests:
The following URLs are not protected by authentication:
They are currently unprotected to support backwards compatibility. We’re exploring ways to support protecting these endpoints going forward. For now, we recommened excluding these API prefixes from your load-balancer.
Client tokens are the core credential required to authenticate a request. Tokens themselves are acquired via authentication methods.
Flipt currently supports two authentication methods for acquiring credentials:
client token has been acquired, it can be supplied via request metadata dependent on the protocol. Both HTTP and gRPC examples can be found on the Using Client Tokens page.