Managing API Tokens¶
API Tokens are how your application communicates with FlagPal. Your installed SDK (or the development team) needs a token to integrate FlagPal into your product.
This guide is mainly for project owners and developers Non-technical team members typically don't need to manage API tokens — this is usually handled by the developer integrating FlagPal.
What Is an API Token?¶
An API Token is a secret key that identifies your project to FlagPal. When your app makes requests to the FlagPal API (to fetch feature flags, record metrics, etc.), it includes this token so FlagPal knows which project the request belongs to.
Think of it like a password for your app — keep it safe and don't share it publicly.
Creating an API Token¶
- Go to Project Settings
- Navigate to the API Tokens section
- Click New API Token
- Give the token a name (e.g., "Production App", "Staging Environment")
- Pick what abilities (permissions) the token should have (e.g., full access, read, write, metrics)
- (optional) Select how long the token should be valid for.
- Click Create
- Copy the token immediately — you won't be able to see the full token value again after this step
Viewing Your Tokens¶
In the API Tokens section of Project Settings, you'll see a list of all tokens for your project. For security reasons, you can only see the token name and creation date — not the full token value.
If you need to find out what a token's value is, and you've lost it, you'll need to create a new one.
Sharing a Token With Your Developer¶
Copy the token value and share it with your developer securely (use a password manager, secure messaging, or direct communication — not email or Slack in plaintext).
Your developer will typically add it to your application's configuration as an environment variable.
Revoking a Token¶
If you think a token has been compromised, revoke it immediately:
- Go to Project Settings → API Tokens
- Create a new token and update your application's configuration to ensure nothing breaks after revoking the old one.
- Find the token you want to revoke
- Click Revoke
Revoking a token immediately breaks any app using it If your production application is using the token, revoking it will cause it to stop working until you update it with a new token. Plan this carefully.
Best Practices¶
Use Separate Tokens Per Environment¶
Create different tokens for different use cases. If you have multiple applications using the same FlagPal project (such as web app, mobile app, and payment gateway. See Projects as Bridges), in case one of them is compromised, your other apps are not affected.
| Application | Token Name |
|---|---|
| Web App | Shopify App Production |
| iOS App | iOS App Production |
| Development | Developer's X Local Test |
Rotate Tokens Periodically¶
Treat API tokens like passwords and change them periodically. Create a new token, update your app, then revoke the old one.
Store Tokens Securely¶
Never hardcode a token in your source code or commit it to version control. Use environment variables or a secrets manager.
Use Descriptive Names¶
Name your tokens so you can identify which app or environment they belong to. This makes it easier to revoke the right one if needed.
Frequently Asked Questions¶
How many tokens can I create?
You can create multiple tokens per project. There's no strict limit.
Can team members see my tokens?
Team members can see the token names and creation dates but not the token values. The full value is only shown once — when you first create the token.
What happens if I lose a token?
You can't recover a lost token. You'll need to create a new one, update your app's configuration, and revoke the old one.