Authentication
The Management API authenticates with a bearer token in the Authorization header:
Authorization: Bearer <your-token>There are two token types. Both are created in the Featureflip dashboard and are shown once at creation — store them securely.
Personal Access Tokens (ffp_)
Section titled “Personal Access Tokens (ffp_)”A Personal Access Token acts as you: it carries your identity and your role in every organization you belong to. Use one for personal scripting, local tooling, or exploration.
Create one under Settings → API Tokens → Personal Access Tokens. A personal token is prefixed ffp_.
Service Tokens (ffs_)
Section titled “Service Tokens (ffs_)”A Service Token is a machine identity scoped to a single organization. It carries an explicit role and, optionally, an allowlist of projects it may access. Use one for CI, automation, or shared infrastructure — it is not tied to any person and keeps working after team changes.
Create one under Organization Settings → Service Tokens. A service token is prefixed ffs_.
Roles and permissions
Section titled “Roles and permissions”Both token types act with a role. Roles are hierarchical — Owner is most privileged, Viewer least:
| Role | Can do |
|---|---|
| Owner | Everything, including org settings |
| Admin | Manage projects, flags, members |
| Member | Create and edit flags, targeting, segments |
| Viewer | Read-only |
A write performed by a token below the required role returns 403 forbidden. A service token whose project allowlist excludes the target project returns 404 not_found for that project.
Token expiry and errors
Section titled “Token expiry and errors”Tokens may have an expiry. A missing, malformed, expired, or revoked token returns 401 unauthorized:
{ "error": "unauthorized", "message": "Missing or invalid API token.", "docs_url": "https://featureflip.io/docs/management-api/errors/unauthorized"}See Errors for the full error contract.