Switchflag
Platform

API Keys

API key format, scope, and security best practices for the Switchflag API.

Key format

API keys follow the pattern:

sf_{prefix}_{random}

Where {prefix} identifies the environment and {random} is a 24-character random string generated with nanoid.

EnvironmentPrefixExample
Developmentdevsf_dev_a1b2c3d4e5f6g7h8i9j0k1l2
Stagingstgsf_stg_a1b2c3d4e5f6g7h8i9j0k1l2
Productionprodsf_prod_a1b2c3d4e5f6g7h8i9j0k1l2

Scope

API keys are environment-scoped:

  • A development key only returns flag configs for the development environment
  • A production key only returns flag configs for the production environment
  • You cannot use one key to access another environment's data

Finding your key

  1. Navigate to your project in the dashboard
  2. Go to the Environments section
  3. Each environment shows its API key

Usage

Include the key in the Authorization header:

curl -H "Authorization: Bearer sf_prod_..." \
  https://api.switchflag.dev/v1/flags

Or pass it to the SDK:

const client = createClient({
  apiKey: 'sf_prod_...',
})

Security best practices

  • Never commit keys to source control — use environment variables
  • Use the right key for the right environment — don't use production keys in development
  • Rotate keys if they're compromised — generate a new key in the dashboard
  • Restrict access — only give production keys to services that need them
  • The API is read-only (GET only) — API keys cannot create or modify flags

Targeting Rules

Configure targeting rules in the dashboard to control who sees a feature based on user attributes.

Audit Log

Track every change to flags, projects, and environments with the built-in audit log.

On this page

Key formatScopeFinding your keyUsageSecurity best practices