[discourse] Read Only Static Token?

[markphelps]

Originally posted by n2p5 on Discourse

Hey Gang, Maybe its been answered elsewhere, but is there a guy on setting up a read-only static token? We have flipt server running with Google Auth for web login, but the static tokens give full API access, which we definitely don’t want.

Is there a way to scope rego to do this? Or is there a plan for read-only tokens?

How are other folks handling Feature Flags for Javascript with Web Admin login, but not opening up your server to the world?

[dosubot[bot]]

There isn't a built-in concept of "read-only static tokens" in Flipt at the authentication or token management level. Instead, access control—including read-only restrictions—is enforced through rego/OPA policies that use token metadata (like roles) to determine what actions a token can perform. To achieve read-only access, you can create a static token and assign it a role (e.g., viewer) in its metadata, then configure your rego policies so that this role only allows read actions and denies writes. The rego RBAC examples and tests show how a viewer role can be scoped to read-only access, while other roles (like editor or admin) have broader permissions (rego policy example).

There are no current plans or implementation for read-only tokens as a distinct type at the storage or API layer.

For securely handling feature flags in JavaScript without exposing your Flipt server, consider using server-side evaluation or a proxy pattern: have your backend fetch flag values from Flipt and expose only the necessary data to your frontend, rather than exposing the Flipt API or static tokens directly to the browser. This approach keeps your API credentials and access controls secure.

If you want to lock down all modifications (UI and API), you can also enable Flipt's "Read Only Mode" by setting FLIPT_STORAGE_READ_ONLY=true in your environment, but this applies globally and not per-token (read-only mode docs).

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}   

[markphelps]

Reply from george on Discourse:

Hey @n2p5 !

There are few ways to slice and dice this.

W.r.t to exposing flags to the frontend, you can actually exclude the evaluation API from authentication altogether. It is a bit of a blunt instrument, so not for everyone. But there is space in the configuration to exclude parts of the API if you so wish.

However, as you mentioned, you can also define a rego policy that grants this scope to certain API tokens. A simple policy might look something like:

package flipt.authz.v1

import rego.v1

default allow := false

allow if {
  input.authentication.method == "METHOD_TOKEN"
  input.authentication.metadata["io.flipt.auth.token.name"] == "read-only"
  input.request.action == "read"
}

This would allow any token with a name "read-only" to only have read action scope (to any resource).

Additionally, if you have Google auth (OIDC) enabled and you’re allowing all users to do everything, you would need an additional clause like so:

allow if {
   input.authentication.method == "METHOD_OIDC"
}

That would get you all browsers based users access, while allowing for tokens named read-only through for read scoped requests.