Read-only API Tokens

We're working on providing more control over who can manage features and in which environments. Now you can choose to make API tokens read-only.

A demo of toggling API tokens to read-only.

Toggling a feature with a read-only token via the API or Flipper gem will result in an error:

$ curl -H "Flipper-Cloud-Token: $FLIPPER_CLOUD_TOKEN" -X POST \
  "message":"Token does not have API write access.",

Existing tokens are still read/write, but if you have any tokens that you know don't need write-access, we recommend switching to a read-only API token.

For the time being, automatically-generated tokens are still created with write access as the default. So any time you create a new project or environment, we automatically create the initial tokens with write-access. When manually adding tokens, however, the permissions will default to read-only, and you'll need to explicitly choose to create tokens with write-access permissions.