Switchflag
API

Authentication

API key format, Bearer token scheme, and how authentication works for the Switchflag API.

API key format

API keys follow the format:

sf_{environment}_{random}

The prefix identifies the environment:

PrefixEnvironment
sf_development_...Development
sf_staging_...Staging
sf_production_...Production

Each environment in a project has a unique API key. You can find your keys in the project's Environments section in the dashboard.

Bearer token scheme

Include the API key in the Authorization header using the Bearer scheme:

curl -H "Authorization: Bearer sf_production_abc123..." \
  https://api.switchflag.dev/v1/flags

Validation

The API validates:

  1. The Authorization header is present
  2. It uses the Bearer scheme (exactly two parts separated by a space)
  3. The token starts with sf_
  4. The token matches an existing environment's API key in the database

If any check fails, the API returns 401 Unauthorized:

{
  "error": "Unauthorized"
}

Scope

API keys are environment-scoped. A request authenticated with a development key will only return flag configurations for the development environment. This prevents accidentally reading production state during development.

Security

  • Never commit API keys to source control
  • Use environment variables to store keys
  • Rotate keys by generating a new one in the dashboard
  • Each key is a long random string — treat it like a password

API Overview

REST API reference for the Switchflag flag evaluation API. All endpoints require a valid API key.

List Flags

GET /v1/flags — retrieve all flags for the authenticated environment.

On this page

API key formatBearer token schemeValidationScopeSecurity