We're working on providing more control over who can manage features and in which environments. Now you can choose to make API tokens read-only.
Toggling a feature with a read-only token via the API or Flipper gem will result in an error:
$ curl -H "Flipper-Cloud-Token: $FLIPPER_CLOUD_TOKEN" -X POST \
https://www.flippercloud.io/adapter/features/reports/boolean
{
"code":"error",
"message":"Token does not have API write access.",
"more_info":"https://www.flippercloud.io/docs/api#errors"
}Existing tokens are still read/write, but if you have any tokens that you know don't need write-access, we recommend switching to a read-only API token.
For the time being, automatically-generated tokens are still created with write access as the default. So any time you create a new project or environment, we automatically create the initial tokens with write-access. When manually adding tokens, however, the permissions will default to read-only, and you'll need to explicitly choose to create tokens with write-access permissions.