All requests to /v1/* must be authenticated. Feather Flag supports two authentication methods:
API keys for programmatic API clients, and session cookies for dashboard browser traffic.
API Keys
Pass your key in the Authorization header:
Authorization: Bearer <raw_key>
Key types
| Type | Prefix | Use case |
|---|
server | sk_... | Backend services, SDKs, CI pipelines — can evaluate any flag |
client | pk_... | Browser SDKs — restricted to flags marked clientSafe: true |
Never expose a server key in client-side code or public repositories.
Creating a key
Keys are scoped to a specific environment. See Create API Key.
Key lifecycle
- Keys are active until explicitly revoked.
- Revoking a key is immediate and permanent — a revoked key cannot be re-activated.
- The raw key value is returned once at creation. Feather Flag stores only a SHA-256 hash.
- The
keyPrefix (e.g. sk_ab12...) is always available for display purposes.
Session Authentication (Dashboard)
The web dashboard authenticates via GitHub OAuth. Session tokens are stored in HTTP-only cookies and are not usable for API access outside the browser.
Session authentication is intended for same-origin dashboard requests. External clients and
integrations should use API keys in the Authorization header.
CSRF protection is enforced on all session-authenticated mutating requests (POST, PUT, PATCH, DELETE). The Origin or Referer header must match the expected origin.
Error responses
| Scenario | Status | Code |
|---|
Missing Authorization header | 401 | UNAUTHORIZED |
| Invalid or revoked key | 401 | INVALID_API_KEY |
| CSRF header missing | 403 | CSRF_MISSING_ORIGIN |
| CSRF origin mismatch | 403 | CSRF_ORIGIN_MISMATCH |
