Hey Gang, Maybe its been answered elsewhere, but is there a guy on setting up a read-only static token? We have flipt server running with Google Auth for web login, but the static tokens give full API access, which we definitely don’t want.
Is there a way to scope rego to do this? Or is there a plan for read-only tokens?
How are other folks handling Feature Flags for Javascript with Web Admin login, but not opening up your server to the world?
W.r.t to exposing flags to the frontend, you can actually exclude the evaluation API from authentication altogether. It is a bit of a blunt instrument, so not for everyone. But there is space in the configuration to exclude parts of the API if you so wish.
However, as you mentioned, you can also define a rego policy that grants this scope to certain API tokens. A simple policy might look something like: