Skip to content

Authentication

The Management API authenticates with a bearer token in the Authorization header:

Authorization: Bearer <your-token>

There are two token types. Both are created in the Featureflip dashboard and are shown once at creation — store them securely.

A Personal Access Token acts as you: it carries your identity and your role in every organization you belong to. Use one for personal scripting, local tooling, or exploration.

Create one under Settings → API Tokens → Personal Access Tokens. A personal token is prefixed ffp_.

A Service Token is a machine identity scoped to a single organization. It carries an explicit role and, optionally, an allowlist of projects it may access. Use one for CI, automation, or shared infrastructure — it is not tied to any person and keeps working after team changes.

Create one under Organization Settings → Service Tokens. A service token is prefixed ffs_.

Both token types act with a role. Roles are hierarchical — Owner is most privileged, Viewer least:

RoleCan do
OwnerEverything, including org settings
AdminManage projects, flags, members
MemberCreate and edit flags, targeting, segments
ViewerRead-only

A write performed by a token below the required role returns 403 forbidden. A service token whose project allowlist excludes the target project returns 404 not_found for that project.

Tokens may have an expiry. A missing, malformed, expired, or revoked token returns 401 unauthorized:

{
"error": "unauthorized",
"message": "Missing or invalid API token.",
"docs_url": "https://featureflip.io/docs/management-api/errors/unauthorized"
}

See Errors for the full error contract.