Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2025-02-09 00:18:00 +01:00
Code Issues Projects Releases Wiki Activity

Update API tokens and client keys pages (#9143)

Browse Source
This commit is contained in:
Melinda Fekete 2025-02-04 09:32:32 +01:00 committed by GitHub
parent e5e7e2fdd3
commit ef8191c68d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
43 changed files with 188 additions and 382 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
frontend/src/component/integrations/IntegrationList/AvailableIntegrations/AvailableIntegrations.tsx
View File

@ -163,7 +163,7 @@ export const AvailableIntegrations: VFC<IAvailableIntegrationsProps> = ({
need a client SDK (software developer kit) for your
programming language and an{' '}
<a
href='https://docs.getunleash.io/how-to/how-to-create-api-tokens'
href='https://docs.getunleash.io/reference/api-tokens-and-client-keys'
target='_blank'
rel='noopener noreferrer'
>

2
src/lib/openapi/spec/create-pat-schema.ts
View File

@ -3,7 +3,7 @@ import type { FromSchema } from 'json-schema-to-ts';
export const createPatSchema = {
$id: '#/components/schemas/createPatSchema',
description:
'Describes the properties required to create a [personal access token](https://docs.getunleash.io/how-to/how-to-create-personal-access-tokens), or PAT. PATs are automatically scoped to the authenticated user.',
'Describes the properties required to create a [personal access token](https://docs.getunleash.io/reference/api-tokens-and-client-keys#personal-access-tokens), or PAT. PATs are automatically scoped to the authenticated user.',
type: 'object',
required: ['description', 'expiresAt'],
properties: {

2
src/lib/openapi/spec/pat-schema.ts
View File

@ -5,7 +5,7 @@ export const patSchema = {
$id: '#/components/schemas/patSchema',
type: 'object',
description:
'Describes a [personal access token](https://docs.getunleash.io/how-to/how-to-create-personal-access-tokens), or PAT. PATs are automatically scoped to the authenticated user.',
'Describes a [personal access token](https://docs.getunleash.io/reference/api-tokens-and-client-keys#personal-access-tokens), or PAT. PATs are automatically scoped to the authenticated user.',
required: ['id', 'createdAt', ...createPatSchema.required],
properties: {
id: {

2
src/lib/openapi/spec/pats-schema.ts
View File

@ -5,7 +5,7 @@ export const patsSchema = {
$id: '#/components/schemas/patsSchema',
type: 'object',
description:
'Contains a collection of [personal access tokens](https://docs.getunleash.io/how-to/how-to-create-personal-access-tokens), or PATs. PATs are automatically scoped to the authenticated user.',
'Contains a collection of [personal access tokens](https://docs.getunleash.io/reference/api-tokens-and-client-keys#personal-access-tokens), or PATs. PATs are automatically scoped to the authenticated user.',
properties: {
pats: {
type: 'array',

2
src/lib/routes/admin-api/project/api-token.ts
View File

@ -91,7 +91,7 @@ export class ProjectApiTokenController extends Controller {
operationId: 'getProjectApiTokens',
summary: 'Get api tokens for project.',
description:
'Returns the [project API tokens](https://docs.getunleash.io/how-to/how-to-create-project-api-tokens) that have been created for this project.',
'Returns the project-specific [API tokens](https://docs.getunleash.io/reference/api-tokens) that have been created for this project.',
responses: {
200: createResponseSchema('apiTokensSchema'),
...getStandardResponses(401, 403, 404),

6
src/lib/routes/admin-api/user/pat.ts
View File

@ -62,7 +62,7 @@ export default class PatController extends Controller {
summary:
'Get all personal access tokens (PATs) for the current user.',
description:
'Returns all of the [personal access tokens](https://docs.getunleash.io/how-to/how-to-create-personal-access-tokens) (PATs) belonging to the current user.',
'Returns all of the [personal access tokens](https://docs.getunleash.io/reference/api-tokens-and-client-keys#personal-access-tokens) (PATs) belonging to the current user.',
responses: {
200: createResponseSchema(patsSchema.$id),
...getStandardResponses(401, 403, 404),
@ -82,7 +82,7 @@ export default class PatController extends Controller {
summary:
'Create a new personal access token (PAT) for the current user.',
description:
'Creates a new [personal access token](https://docs.getunleash.io/how-to/how-to-create-personal-access-tokens) (PAT) belonging to the current user.',
'Creates a new [personal access token](https://docs.getunleash.io/reference/api-tokens-and-client-keys#personal-access-tokens (PAT) belonging to the current user.',
requestBody: createRequestSchema(createPatSchema.$id),
responses: {
201: resourceCreatedResponseSchema(patSchema.$id),
@ -105,7 +105,7 @@ export default class PatController extends Controller {
summary:
'Delete a personal access token (PAT) for the current user.',
description:
'Deletes a [personal access token](https://docs.getunleash.io/how-to/how-to-create-personal-access-tokens) (PAT) belonging to the current user.',
'Deletes a [personal access token](https://docs.getunleash.io/reference/api-tokens-and-client-keys#personal-access-tokens) (PAT) belonging to the current user.',
parameters: [
{
name: 'id',

2
website/docs/feature-flag-tutorials/serverless/implementing-feature-flags-in-aws-lambda.md
View File

@ -31,7 +31,7 @@ You should only initialize the Unleash SDK once during the lifespan of a serverl
Why? AWS Lambda is designed to reuse the same instance for multiple invocations, enabling the expensive initialization process to occur only during the Lambda's "cold start." Subsequent "warm" invocations can then leverage the SDK, which has been pre-initialized, with all feature flag configurations cached in memory. This ensures efficient operation by minimizing initialization overhead and enhancing performance.
Youll also need to provide an [Unleash Server side API Token](/how-to/how-to-create-api-tokens) as an environment variable for the AWS Lambda. This authorizes the SDK to connect to the Unleash API.
Youll also need to provide an [Unleash Server side API Token](/reference/api-tokens-and-client-keys) as an environment variable for the AWS Lambda. This authorizes the SDK to connect to the Unleash API.
```javascript
import {

35
website/docs/how-to/how-to-create-api-tokens.mdx
View File

@ -2,36 +2,9 @@
title: How to create API Tokens
---
import newTokenImage from '/img/admin_create_token_form.png';
Depending on your [permissions](../reference/api-tokens-and-client-keys#api-token-permissions), you can create API tokens in the Unleash Admin UI in three ways:
- **Admin > API access**: for client or frontend tokens; requires the Admin root role, or a custom root role with API token permissions.
- **Settings > API access** inside a project: for project-specific client or frontend tokens; permitted for project Members or users with a [corresponding root role](../reference/api-tokens-and-client-keys#api-token-permissions).
- **Profile > View profile settings > Personal API tokens**: for personal access tokens.
:::info Permissions
Creating API tokens requires you to have the `CREATE_API_TOKEN` permission. This means that, as of now, **only instance admins can create API tokens.**
All users can see tokens with `CLIENT` level access, but only instance admins can see tokens with `ADMIN` level access.
:::
Unleash SDKs use API tokens to authenticate to the Unleash API. Unleash supports different types of API tokens, each with different levels of access and privileges. Refer to the [API tokens and client keys documentation](../reference/api-tokens-and-client-keys.mdx) for a complete overview of the different token types.
## Step 1: Navigate to the API token creation form {#step-1}
Navigate to the _API access_ page in the admin UI (available at the URL `/admin/api`). Use the navigation menu item "Configure" and select "API access".
![The admin UI navigation "Configure" submenu with the API access item highlighted.](/img/admin_configure_api.png)
On the API access page, use the "New API token" button to navigate to the token creation form.
![The API access page with the "New API token" button highlighted.](/img/admin_new_api_key_button.png)
## Step 2: Fill in the API token form {#step-2}
![API token creation form. ](/img/admin_create_token_form.png)
Fill in the form with the desired values for the token you want to create. Refer to the [API tokens and client keys](../reference/api-tokens-and-client-keys.mdx#token-data) article for a detailed explanation of what all the fields mean.
## Using API tokens
When you have created the API token, it will be listed on the API access page. If you have the required permissions to see the token, you can copy it for easy use in your applications.
![API access token table with a "copy token" button highlighted.](/img/admin_copy_token.png)

41
website/docs/how-to/how-to-create-personal-access-tokens.mdx
View File

@ -1,41 +0,0 @@
---
title: How to create Personal Access Tokens
---
:::note Availability
**Version**: `4.17+`
:::
Personal access tokens are a tool to enable a user to use the Admin API as themselves with their own set of permissions, rather than using an admin token. See [_how to use the Admin API_](how-to-use-the-admin-api.md) for more information.
## Step 1: Navigate to the personal access tokens page {#step-1}
Open the user profile pane in the admin UI and select the _view user profile_ menu item (available at the URL `/profile`).
![The admin UI navigation "user profile" menu with the view user profile menu item selected.](/img/create-pat-1.png)
Select the "Personal Access Tokens" menu item.
![The user profile page with the "Personal Access Tokens" menu item highlighted.](/img/create-pat-2.png)
## Step 2: Navigate to New Token {#step-2}
Navigate to "New Token".
![The New Token element highlighted. ](/img/create-pat-3.png)
## Step 3: Fill in the create personal API token form and create it {#step-3}
Give your token a description and optionally set an expiry date. By default the expiry date is set to 30 days.
![The New Token form with the description text box and create element highlighted. ](/img/create-pat-4.png)
## Step 4: Save your token {#step-4}
Once your new token is created, the popup will display the new token details. You must save your token somewhere outside of Unleash, you won't be able to access it again.
![The token created popup with the "Copy Token" element highlighted. ](/img/create-pat-5.png)
Your personal access token can now be used in place of an [admin token](../reference/api-tokens-and-client-keys#admin-tokens).

33
website/docs/how-to/how-to-create-project-api-tokens.mdx
View File

@ -1,33 +0,0 @@
---
title: How to create Project API Tokens
---
:::info Permissions
Creating Project API tokens requires you to have the `CREATE_PROJECT_API_TOKEN` permission.
:::
Unleash SDKs use API tokens to authenticate to the Unleash API. Unleash supports different types of API tokens, each with different levels of access and privileges. Refer to the [API tokens and client keys documentation](../reference/api-tokens-and-client-keys.mdx) for a complete overview of the different token types.
## Step 1: Navigate to the API token creation form {#step-1}
Navigate to the Project _API access_ page in the admin UI (available at the URL `/admin/projects/<project-name>/api-access`). Use the navigation tab "Project Settings" and select "API access".
![The Project overview "Project settings" submenu with the API access item highlighted.](/img/configure_project_api.png)
On the API access page, use the "New API token" button to navigate to the token creation form.
![The Project API access page with the "New API token" button highlighted.](/img/admin_new_project_api_key_button.png)
## Step 2: Fill in the API token form {#step-2}
![Project API token creation form. ](/img/admin_create_project_token_form.png)
Fill in the form with the desired values for the token you want to create. Refer to the [API tokens and client keys](../reference/api-tokens-and-client-keys.mdx#token-data) article for a detailed explanation of what all the fields mean.
## Using Project API tokens
When you have created the Project API token, it will be listed on the Project API access page. If you have the required permissions to see the token (`READ_PROJECT_API_TOKEN`), you can copy it for easy use in your applications.
![API access token table with a "copy token" button highlighted.](/img/copy_project_token.png)

45
website/docs/how-to/how-to-create-service-accounts.mdx
View File

@ -1,45 +0,0 @@
---
title: How to create service accounts
---
:::note Availability
**Plan**: [Enterprise](https://www.getunleash.io/pricing) | **Version**: `4.21+`
:::
[Service accounts](../reference/service-accounts.md) enable Unleash admins to create accounts that act as users and adhere to the same set of permissions. However, these accounts do not have a password and cannot log in to the Unleash Admin UI. Instead, they are intended to be used to access the Unleash API programmatically.
## Step 1: Navigate to the service accounts page {#step-1}
Navigate to the _service accounts_ page in the admin UI (available at the URL `/admin/service-accounts`). Use the _settings_ button in the navigation menu and select "service accounts".
![The admin UI navigation settings submenu with the Service accounts item highlighted.](/img/service-account-1.png)
## Step 2: Click the "new service account" button {#step-2}
Use the "new service account" button to open the "new service account" form.
![The "service accounts" table with the "new service account" button highlighted.](/img/service-account-2.png)
## Step 3: Fill in the service account form {#step-3}
Give your new service account a name. After leaving the name field, the username field is pre-filled with a suggestion based on the name you entered, but you can change it to whatever you like.
Select a [root role](https://docs.getunleash.io/reference/rbac#predefined-roles) for your service account, which will define what your new service account will be allowed to do. The roles that you can assign to service accounts are the same ones that are available for regular users.
![The service account form filled with some example data, and the "add service account" button highlighted at the bottom.](/img/service-account-3.png)
You can optionally generate a token for the new service account right away. Give your token a description and optionally set an expiry date. By default, the expiry date is set to 30 days. The token will be generated when you submit the form.
![The service account form with the token section highlighted and the "generate a token now" option selected](/img/service-account-4.png)
![The token details with the "copy token" element highlighted.](/img/service-account-5.png)
## Managing service account tokens
You can later manage service account tokens by editing the respective service account. This allows you to add new tokens to that service account or delete existing ones.
![The service account table with the "edit" button highlighted.](/img/service-account-6.png)
![The service account form with the tokens table highlighted](/img/service-account-tokens.png)

22
website/docs/how-to/how-to-use-the-admin-api.md
View File

@ -2,36 +2,34 @@
title: How to use the Admin API
---
This guide explains the steps required to getting access to and using the Admin API.
This guide explains the steps required to using the Admin API.
## Step 1: Create API token {#step-1-create-api-token}
## Create API token
You'll need either an [admin token](../reference/api-tokens-and-client-keys.mdx#admin-tokens) or a [personal access token](../reference/api-tokens-and-client-keys.mdx#personal-access-tokens) for this to work. To create one, follow the steps in the [_how to create API tokens_](../how-to/how-to-create-api-tokens.mdx) guide or the [_how to create personal access tokens_](./how-to-create-personal-access-tokens.mdx) guide, respectively.
First, you'll need to create a [personal access token](/reference/api-tokens-and-client-keys.mdx#personal-access-tokens).
Please note that it may take up to 60 seconds for the new key to propagate to all Unleash instances due to eager caching.
:::note
If you need an API token to use in a client SDK you should create a "client token" as these have fewer access rights.
If you need an API token to use in a client SDK you should create a client token instead, as these have fewer access rights.
:::
## Step 2: Use Admin API {#step-2-use-admin-api}
## Use Admin API
Now that you have an access token with admin privileges we can use that to perform changes in our Unleash instance.
Now that you have an access token with admin privileges, you can use it to make changes in your Unleash instance.
In the example below we will use the [Unleash Admin API](/reference/api/legacy/unleash/admin/features.md) to enable the “Demo” feature flag using curl.
In the example below we will use the [Unleash Admin API](/reference/api/legacy/unleash/admin/features.md) to enable the `checkout-flow` feature flag in `development` using curl.
```sh
curl -X POST -H "Content-Type: application/json" \
-H "Authorization: some-token" \
https://app.unleash-hosted.com/demo/api/admin/features/Demo/toggle/on
-H "Authorization: <your-token>" \
https://app.unleash-hosted.com/docs-demo/api/admin/projects/docs-project/features/checkout-flow/environments/development/on
```
**Great success!** We have now enabled the feature flag. We can also verify that it was actually changed by the API user by navigating to [Event Log](/reference/events#event-log) and filtering events for this feature flag.
We have now enabled the feature flag. We can also verify that it was actually changed by the API user by navigating to [Event Log](/reference/events#event-log) and filtering events for this feature flag.
![Feature flag events showing that it was last updated by "admin-api".](/img/api_access_history.png)
## API overview {#api-overview}
You can find the full documentation on everything the Unleash API supports in the [Unleash API documentation](/reference/api/legacy/unleash/admin/features.md).

268
website/docs/reference/api-tokens-and-client-keys.mdx
View File

@ -3,46 +3,71 @@ title: API Tokens and Client Keys
pagination_next: reference/front-end-api
---
For Unleash to be of any use, it requires at least a server and a [consuming client](../reference/sdks). More advanced use cases may call for multiple clients, automated feature flag updates, the [Unleash proxy](../reference/unleash-proxy) and [Unleash proxy clients](../reference/sdks#front-end-sdks), and more. To facilitate communication between all these moving parts, Unleash uses a system of API tokens and client keys, all with a specific purpose in mind.
## Overview
This document details the three kinds of tokens and keys that you will need to fully connect any Unleash system:
Unleash uses API keys to facilitate communication between consuming clients such as [SDKs](../reference/sdks), [Unleash Edge](../reference/unleash-edge), or other tools and automation.
- [Admin tokens](#admin-tokens) for updating resources in Unleash (**Deprecated**) We recommend you use [Personal Access Tokens](#personal-access-tokens) instead.
- [Client tokens](#client-tokens) for connecting server-side client SDKs and the Unleash proxy to the Unleash server
- [Proxy client keys](#proxy-client-keys) for connecting proxy client SDKs to the Unleash proxy.
Unleash supports the following types of API tokens:
- [Client tokens](#client-tokens) for connecting [server-side client SDKs](../reference/sdks#server-side-sdks), [Unleash Edge](../reference/unleash-edge), and [Unleash Proxy](../reference/unleash-proxy) to Unleash.
- [Frontend tokens](#frontend-tokens) for connecting [client-side SDKs](../reference/sdks#front-end-sdks) to Unleash using the [Frontend API](../reference/front-end-api) or [Unleash Edge](../reference/unleash-edge).
- [Personal access tokens](#personal-access-tokens) for testing and debugging or providing temporary access to an automation tool.
- [Service account tokens](/reference/service-accounts) for providing API access to integrations or automation tools.
## API tokens
To connect a client-side SDK to Unleash using Unleash Edge, you need both a [client](#client-tokens) and [frontend token](#frontend-tokens). See [Connect a client-side SDK to Unleash using Edge](#connect-a-client-side-sdk-to-unleash-using-edge) for an example.
:::tip
## API token types
This section describes what API tokens are. For information on how to create them, refer to the [how-to guide for creating API tokens](../how-to/how-to-create-api-tokens).
### Client tokens
Client tokens are intended for use in [server-side client SDKs](../reference/sdks#server-side-sdks), [Unleash Edge](../reference/unleash-edge), and [Unleash Proxy](../reference/unleash-proxy) to grant the permissions to:
- Reading feature flag information
- Registering applications with the Unleash server
- Sending usage metrics
Client tokens are scoped to one or more projects and a single environment. When creating a client token, you can give it access to a specific list of projects or to all current or future projects. Client tokens are secrets and must not be exposed to end users.
Client tokens cannot be used in frontend SDKs; use [frontend tokens](#frontend-tokens) instead.
### Frontend tokens
Use frontend tokens for connecting [frontend SDKs](../reference/sdks#front-end-sdks) to Unleash using the [Unleash Frontend API](./front-end-api) or [Unleash Edge](../reference/unleash-edge). They grant the user permission to:
- Reading enabled flags for a given context
- Registering applications with the Unleash server
- Sending usage metrics
Frontend tokens are scoped to one or more projects and a single environment. When creating a frontend token, you can give it access to a specific list of projects or to all current or future projects. Frontend tokens are not considered secret and are safe to expose client-side.
Frontend tokens cannot be used in server-side SDKs; use [client tokens](#client-tokens) instead.
### Personal access tokens
Personal access tokens reflect the permissions of the user who creates them. If the user's permissions change, such as through the addition of a custom role, the token automatically updates to match the new permissions.
You can use personal access tokens for testing, debugging, or giving temporary access to automation tools.
When you use a personal access token to modify resources, the events record the token creator's name for that operation.
Personal access tokens with a lifetime expire and stop working after their expiration date. Although you can set the token to not expire, we recommend using tokens with expiration dates to follow security best practices.
Personal access tokens are not suitable for client SDKs, as they are not bound to an environment, they may expire, or their permissions may change. Use [client tokens](#client-tokens) instead.
### Service account tokens
Service account tokens provide API access to integration and automation tools. To learn more, go to [Service Accounts](/reference/service-accounts).
### Admin tokens
:::warning
Admin tokens are deprecated. Use other token types:
- With [Open Source](https://www.getunleash.io/pricing) and [Pro](../availability#plans); use [personal access tokens](#personal-access-tokens).
- With [Enterprise](https://www.getunleash.io/pricing); use [service accounts](./service-accounts).
:::
Use API tokens to connect to the Unleash server API. API tokens come in four distinct types:
- [Admin tokens](#admin-tokens) (**Deprecated**)
- [Personal access tokens](#personal-access-tokens)
- [Client tokens](#client-tokens)
- [Front-end tokens](#front-end-tokens)
All types use [the same format](#format) but have different intended uses. Admin and client tokens are _secrets_ and should _not_ be exposed to end users. Front-end tokens, on the other hand, are not secret.
### The parts of an API token {#token-data}
Admin, client and front-end tokens contain the following pieces of information:
| Name | Description |
| --- | --- |
| Token name (sometimes called "username") | The token's name. Names are **not** required to be unique. |
| Type | What kind of token it is: admin, client, or front-end. |
| Projects | What projects a token has access to. |
| Environment | What environment the token has access to. |
Personal access tokens follow their own special format, and only contain an optional description for the token and an expiry date.
Admin tokens grant full read and write access to all resources in the Unleash server API. This includes all projects, all environments, and all [root resources](../reference/rbac#core-principles).
### API token visibility
## API token permissions
:::note Availability
@ -50,138 +75,51 @@ Personal access tokens follow their own special format, and only contain an opti
:::
The following table provides a summary of what actions different roles can perform with API tokens:
By default, only admin users can create API tokens, and only admins can see their values.
| Role/Permission | Details |
|-----------------------------------------------|-------------------------------------------------------------------------|
| Admin root role | Can view, create, update, or delete tokens for any project. |
| Custom root role with API token permission | Can view, create, update, or delete tokens for any project with the corresponding permission, such as `CREATE_CLIENT_API_TOKEN`. |
| Member project role | Can view, create, update, or delete tokens within the project. |
| Custom project role with API token permission | Can view, create, update, or delete tokens within the project with the corresponding permission, `CREATE_PROJECT_API_TOKEN`. |
| Viewer root role | Cannot view, create, update, or delete tokens. |
| Any role | Can create personal access tokens. |
However, any [client](#client-tokens client tokens) and [front-end tokens](#front-end-tokens) that are applicable to a project, will also be visible to any members of that project that have the `READ_PROJECT_API_TOKEN` permission (all project members by default).
Similarly, any project members with the `CREATE_PROJECT_API_TOKEN` permission can also create client and front-end tokens for that specific project ([how to create project API tokens](../how-to/how-to-create-project-api-tokens)).
### Admin tokens
:::warning
Admin tokens are deprecated. Use other tokens types:
- With [Open Source](https://www.getunleash.io/pricing) and [Pro](../availability#plans), use [personal access tokens](#personal-access-tokens).
- With [Enterprise](https://www.getunleash.io/pricing), use [service accounts](./service-accounts).
:::
**Admin tokens** grant _full read and write access_ to all resources in the Unleash server API. Admin tokens have access to all projects, all environments, and all root resources (find out more about [resources in the RBAC document](../reference/rbac#core-principles)).
### Personal access tokens
**Personal access tokens** are a special form of admin tokens and grant access to the same resources that the user that created them has access to. These permissions are dynamic, so if a user's permissions change through addition of a custom role, the token will likewise have altered permissions.
When you use a personal access token to modify resources, the events record the token creator's name for that operation.
Personal access tokens with a lifetime **will stop working after the expiration date**.
Use personal access tokens to:
- Provide more fine-grained permissions for automation than an admin token provides
- Give temporary access to an automation tool
:::info On token expiration
It is possible to set a token's expiration date to **never**. However, a token that doesn't expire brings with it a few security concerns. We recommend that you use tokens with expiration dates whenever possible.
:::
Do **not** use personal access tokens for:
- [Client SDKs](../reference/sdks): You will _not_ be able to read flag data from multiple environments. Use [client tokens](#client-tokens) instead.
- Write custom Unleash UIs: Personal access tokens may expire and their permissions may change. It's better to use [admin tokens](#admin-tokens) tokens instead.
### Client tokens
**Client tokens** are intended for use in [server-side client SDKs](../reference/sdks#server-side-sdks) (including the Unleash Proxy) and grant the user permissions to:
- Read feature flag information
- Register applications with the Unleash server
- Send usage metrics
When creating a client token, you can choose which projects it should be able to read data from. You can give it access to a specific list of projects or to all projects (including projects that don't exist yet). Prior to Unleash 4.10, a token could be valid only for a _single project_ or _all projects_.
Each client token is only **valid for a single environment**.
Use client tokens:
- In [server-side client SDKs](../reference/sdks#server-side-sdks)
- To connect [the Unleash Proxy](../reference/unleash-proxy) to the Unleash API
Do **not** use client tokens in:
- [Front-end SDKs](../reference/sdks#front-end-sdks). You will _not_ be able to connect to the Unleash server due to CORS restrictions. To connect front-end SDKs, choose one of the following options:
- Enable the [Unleash front-end API](./front-end-api) and create a [front-end token](#front-end-tokens).
- Configure an [Unleash Proxy](../reference/unleash-proxy) and use [Proxy client keys](#proxy-client-keys).
### Front-end tokens
**Front-end tokens** are used with [front-end SDKs](../reference/sdks#front-end-sdks) when used with the [Unleash front-end API](./front-end-api). They grant the user permission to:
- Read the enabled flags for a given context
- Register applications with the Unleash server
- Send usage metrics
As with [client tokens](#client-tokens), front-end tokens can read data from one, multiple, or all existing projects.
Each front-end token is only **valid for a single environment**.
Use front-end tokens in:
- [Front-end SDKs (also known as _proxy clients_)](../reference/sdks#front-end-sdks).
Do **not** use front-end tokens in:
- [Server-side SDKs](../reference/sdks#server-side-sdks). The format is different, so they won't work correctly.
### Format
API tokens come in one of two formats. When we introduced [environments](./environments) in Unleash 4.3, we updated the format of the tokens to provide more human-readable information to the user. Both formats are still valid (you don't need to update a working token of the old format) and are described below.
#### Version 1
The first version of API tokens was a 64 character long hexadecimal string. Example:
```
be44368985f7fb3237c584ef86f3d6bdada42ddbd63a019d26955178
```
#### Version 2
## API token format
API tokens consist of three parts:
1. Project(s)
1. Project information
2. Environment
3. Hash
The parts are separated by two different separators: A colon (`:`) between the project(s) and the environment, and a full stop (`.`) between the environment and the hash.
The parts are separated by two delimiters: a colon (`:`) between the projects and the environment, and a period (`.`) between the environment and the hash.
The **project(s)** part is one of:
```
{{projects}}:{{environment}}.{{hash}}
```
- The id of a specific project, for example: `default`. This indicates that the token is **only valid for this project**.
- A pair of opening and closing square brackets: `[]`. This indicates that the token is **valid for a discrete list of projects**. The list of projects is not shown in the token.
- An asterisk: `*`. This indicates that the token is **valid for all projects (current and future)**.
The project value of the token can be one of:
- A single project ID, for example, `default`: when the token can only access a single project.
- `[]`: when the token is valid for a specific set of projects. The list of projects is not shown in the token.
- `*`: when the token is valid for all current and future projects.
The **environment** is the name of an environment on your Unleash server, such as `development`.
The environment value of the token is the name of an environment on your Unleash instance, such as `development`. The hash is a 64-character-long hexadecimal string.
The **hash** is 64 character long hexadecimal string.
Personal access tokens start with the string `user`, and do not contain additional project or environment information.
Personal access tokens do not contain project or environment information, since they mimic the user that created them. Instead, the token starts with the string `user`.
Some example API tokens are:
Some example client tokens are:
- A token with access to flags in the "development" environment of a single project, "project-a":
- A token with access to the `development` environment of a single project, `new-checkout-flow`:
```
project-a:development.be44368985f7fb3237c584ef86f3d6bdada42ddbd63a019d26955178
new-checkout-flow:development.be44368985f7fb3237c584ef86f3d6bdada42ddbd63a019d26955178
```
- A token with access to flags in the "production" environment multiple projects:
- A token with access to the `production` environment in multiple projects:
```
[]:production.be44368985f7fb3237c584ef86f3d6bdada42ddbd63a019d26955178
```
- A token with access to flags in the "development" environment of all projects:
- A token with access to the `development` environment in all current and future projects:
```
*:development.be44368985f7fb3237c584ef86f3d6bdada42ddbd63a019d26955178
```
@ -190,25 +128,47 @@ Some example client tokens are:
user:be7536c3a160ff15e3a92da45de531dd54bc1ae15d8455c0476f086b
```
## Proxy client keys {#proxy-client-keys}
Use proxy client keys to connect [Proxy client SDKs (front-end SDKs)](../reference/sdks#front-end-sdks) to the [Unleash Proxy](../reference/unleash-proxy). As opposed to the [API tokens](#api-tokens), Proxy client keys are _not_ considered secret and are safe to use on any clients (refer to the [the proxy documentation for more about privacy](../reference/unleash-proxy#we-care-about-privacy)). They do _not_ let you connect to the Unleash server API.
Note, in Unleash v4.3 or less, API tokens are a 64-character-long hexadecimal string with no additional information. For example:
Proxy client keys are arbitrary strings that you _must_ provide the Unleash proxy with on startup. They can be whatever you want and you **create them yourself**.
```
be44368985f7fb3237c584ef86f3d6bdada42ddbd63a019d26955178
```
:::info Creating proxy client keys
## Create an API token
To designate a string as a proxy client key, add it to the `clientKeys` list when starting the proxy, as mentioned in the [_configuration_ section of the Unleash proxy documentation](../reference/unleash-proxy#configuration). Connecting clients should then specify the same string as their client key.
Depending on your [permissions](#api-token-permissions), you can create API tokens in the Unleash Admin UI in three ways:
- **Admin > API access**: for client or frontend tokens; requires the Admin root role, or a custom root role with [API token permissions](#api-token-permissions).
- **Settings > API access** inside a project: for project-specific client or frontend tokens; permitted for project Members or users with a [corresponding root role](#api-token-permissions).
- **Profile > View profile settings > Personal API tokens**: for [personal access tokens](#personal-access-tokens).
## Connect a client-side SDK to Unleash using Edge
To connect a client-side SDK to Unleash using Unleash Edge, you need both a [client](#client-tokens) and [frontend token](#frontend-tokens):
- The client-side SDK needs a frontend token to communicate with Edge.
- Edge needs a client token to communicate with the Unleash server.
Ensure that the client token has at least the same project and environment scope as the frontend token.
![Diagram showing the types of tokens needed to connect a client-side SDK with Edge, and Edge with Unleash](/img/token-types-example.png)
## Proxy client keys
:::warning
Unleash Proxy is in maintenance mode. Use [Unleash Edge](../reference/unleash-edge) instead.
:::
Unleash does not generate proxy client keys for you. Because of this, they have no specific format.
You can use proxy client keys to connect [frontend SDKs](../reference/sdks#front-end-sdks) to [Unleash Proxy](../reference/unleash-proxy). Proxy client keys are not considered a secret and are safe to expose client-side.
Use Proxy client keys to:
Proxy client keys are arbitrary strings that you provide the Unleash proxy with on startup. They can be any string you choose, and you create them yourself.
- Connect [Proxy client SDKs](../reference/sdks#front-end-sdks) to the [Unleash Proxy](../reference/unleash-proxy)
- Connect your own custom Proxy clients (or pure HTTP requests) to the Unleash Proxy
:::info Creating proxy client keys
Do **not** use Proxy client keys to:
To designate a string as a proxy client key, add it to the `clientKeys` list when [starting the proxy](../reference/unleash-proxy#configuration). Connecting clients should then specify the same string as their client key.
- Connect to the Unleash API. It will not work. Use an appropriate [API token](#api-tokens) instead.
:::
Proxy client keys cannot be used to connect to the Unleash API; use [API tokens](#api-tokens) instead.

4
website/docs/reference/api/legacy/unleash/index.md
View File

@ -13,7 +13,7 @@ The docs in this category are legacy documentation. You should prefer to use the
This describes the API provided to unleash-clients.
Since v4.0.0 all operations require an [API token](/how-to/how-to-create-api-tokens.mdx) with `Client` level access.
Since v4.0.0 all operations require an [API token](/reference/api-tokens-and-client-keys) with `Client` level access.
With versions earlier than v4.0.0 and `insecure` authentication no authentication is required.
@ -23,7 +23,7 @@ With versions earlier than v4.0.0 and `insecure` authentication no authenticatio
## Admin API (internal) {#admin-api-internal}
The internal API used by the Admin UI (unleash-frontend). Since v4.0.0 all operations require an [API token](/how-to/how-to-create-api-tokens) with `Admin` level access:
The internal API used by the Admin UI (unleash-frontend). Since v4.0.0 all operations require an [API token](/reference/api-tokens-and-client-keys) with `Admin` level access:
With versions earlier than v4.0.0 and `insecure` authentication Basic Auth (with curl `-u myemail@test.com:`) is enough.

29
website/docs/reference/front-end-api.md
View File

@ -1,5 +1,5 @@
---
title: Front-end API Access
title: Frontend API
---
:::note Availability
@ -8,41 +8,36 @@ title: Front-end API Access
:::
The **Unleash front-end API** offers a simplified workflow for connecting a client-side (front-end) applications to Unleash. It provides the exact same API as [Unleash edge](https://docs.getunleash.io/reference/unleash-edge) and the [Unleash proxy - deprecated](../generated/unleash-proxy.md). The front-end API is a quick and easy way to add Unleash to single-page applications and mobile apps.
The Unleash Frontend API offers a simplified workflow for connecting client-side applications to Unleash. It provides the exact same API as [Unleash Edge](https://docs.getunleash.io/reference/unleash-edge) and [Unleash Proxy - deprecated](../generated/unleash-proxy.md). The Frontend API is a quick and easy way to add Unleash to single-page applications and mobile apps.
Compared to using Unleash Edge, using the Frontend API has both benefits and drawbacks. The benefits are:
Compared to using Unleash Edge, using the Unleash front-end API has both benefits and drawbacks. The benefits are:
- **You don't need to configure and run Unleash Edge.** The Frontend API is part of Unleash itself and not an external process. All clients will work exactly the same as they would with Unleash Edge.
- **You don't need to configure and run Unleash Edge.** The front-end API is part of Unleash itself and not an external process. All clients will work exactly the same as they would with Unleash Edge.
On the other hand, using the Frontend API has the following drawbacks compared to using Unleash Edge:
On the other hand, using the front-end API has the following drawbacks compared to using Unleash Edge:
- **It can't handle a large number of requests per second.** Because the front-end API is part of Unleash, you can't scale it horizontally the way you can scale Unleash Edge.
- **It can't handle a large number of requests per second.** Because the Frontend API is part of Unleash, you can't scale it horizontally the way you can scale Unleash Edge.
- **It sends client details to your Unleash instance.** Unleash only stores these details in its short-term runtime cache, but this can be a privacy issue for some use cases.
These points make the Unleash front-end API best suited for development purposes and applications that dont receive a lot of traffic, such as internal dashboards. However, because the API is identical to the Unleash Edge API, you can go from one to the other at any time. As such, you can start out by using the front-end API and switch to using Unleash Edge when you need it.
These points make the Unleash Frontend API best suited for development purposes and applications that dont receive a lot of traffic, such as internal dashboards. However, because the API is identical to the Unleash Edge API, you can go from one to the other at any time. As such, you can start out by using the Frontend API and switch to Unleash Edge when you need it.
## Using the Unleash front-end API
## Using the Unleash Frontend API
When using the front-end API in an SDK, there's three things you need to configure.
### Front-end API tokens
As a client-side API, you should use a [front-end API token](../reference/api-tokens-and-client-keys.mdx#front-end-tokens) to interact with it. Refer to the [how to create API tokens](../how-to/how-to-create-api-tokens.mdx) guide for steps on how to create API tokens.
When using the Frontend API in an SDK, there's three things you need to configure.
### Cross-origin resource sharing (CORS) configuration {#cors}
You need to allow traffic from your application domains to use the Unleash front-end API with web and hybrid mobile applications. You can update the front-end API CORS settings from the Unleash UI under _admin \> CORS_ or by using the API.
You need to allow traffic from your application domains to use the Unleash Frontend API with web and hybrid mobile applications. You can update the Frontend API CORS settings from the Unleash UI under _admin \> CORS_ or by using the API.
### API URL
The client needs to point to the correct API endpoint. The front-end API is available at `<your-unleash-instance>/api/frontend`.
The client needs to point to the correct API endpoint. The Frontend API is available at `<your-unleash-instance>/api/frontend`.
<!-- Point to the API docs when they're published -->
### API token
You can create appropriate token, with type `FRONTEND` on `<YOUR_UNLEASH_URL>/api/admin/create-token` page or with a request to `/api/admin/api-tokens`. See our guide on [how to create API tokens](../how-to/how-to-create-api-tokens.mdx) for more details.
The client needs a frontend [token](../reference/api-tokens-and-client-keys.mdx#front-end-tokens) to interact with the Frontend API.
### Refresh interval for tokens

2
website/docs/reference/sdks/index.mdx
View File

@ -4,7 +4,7 @@ title: SDK overview
import VideoContent from '@site/src/components/VideoContent.jsx'
To connect your application to Unleash you need a [client SDK](#official-sdks) for your programming language and an [API token](../how-to/how-to-create-api-tokens). The SDK handles connecting to the Unleash server instance and retrieving feature flags based on your configuration. All versions of Unleash (OSS, Pro, and Enterprise) use the same client SDKs.
To connect your application to Unleash you need a [client SDK](#official-sdks) for your programming language and an [API token](./api-tokens-and-client-keys). The SDK handles connecting to the Unleash server instance and retrieving feature flags based on your configuration. All versions of Unleash (OSS, Pro, and Enterprise) use the same client SDKs.
Unleash provides official client SDKs for a number of programming languages. Additionally, our community has developed and contributed SDKs for other languages. So if you can't find your favorite language in the list of official SDKs, check out the [list of clients written by our fantastic community](#community-sdks).

28
website/docs/reference/service-accounts.md
View File

@ -8,26 +8,16 @@ title: Service Accounts
:::
Service accounts are accounts that act as normal Unleash users and that respect the same set of permissions, but that don't represent real users. These accounts do not have a password and cannot log in to the Unleash UI. Instead, they are intended to be used to access the Unleash API programmatically, providing integrations an identity.
Service accounts provide an identity for integration and automation tools to access the Unleash API. You can assign a role to a service account, granting it a specific set of permissions. Service accounts authenticate using tokens. They do not have a password and cannot access the Unleash Admin UI.
![Service account table](/img/service-account-table.png)
## Create a service account
Use service accounts to:
- Provide a user-like identity to an integration or automation and manage it within Unleash
- Give access to the Unleash API without giving access to the Unleash UI
- Provide more fine-grained permissions than an admin token provides
In order to create a service account, you can follow the [how to create service accounts](../how-to/how-to-create-service-accounts.mdx) guide.
## Service account tokens
Service account tokens allow service accounts to use the Admin API as themselves with their own set of permissions, rather than using an admin token. See [_how to use the Admin API_](../how-to/how-to-use-the-admin-api.md) for more information.
These tokens act just like [personal access tokens](./api-tokens-and-client-keys.mdx#personal-access-tokens) for the service accounts, except that they are managed by Unleash admins.
When you use a service account token to modify resources, the events record the service account name for that operation.
Service account tokens can be managed by editing the respective service account:
To create service accounts in the Unleash Admin UI:
1. Go to **Admin > Service accounts.**
2. Enter a name and username for the service account and select a root role.
3. Optionally, create and assign a service account token. You can also generate one later.
4. Click **Save service account**.
![Service account tokens](/img/service-account-tokens.png)
When a service account creates or modifies resources, Unleash uses the username of the account as the value for the _Created by_ or _Changed_ by properties of [events](./events).

6
website/docs/understanding-unleash/proxy-hosting.mdx
View File

@ -81,7 +81,7 @@ You'll need to configure Edge and the SDKs.
### On Unleash
- Create one or more [client API tokens](https://docs.getunleash.io/reference/api-tokens-and-client-keys#client-tokens) scoped to the projects/environments you wish to use the Edge instance for. Refer to [how to create API tokens](https://docs.getunleash.io/how-to/how-to-create-api-tokens) for the steps to create one.
- Create one or more [client API tokens](../reference/api-tokens-and-client-keys#client-tokens) scoped to the projects/environments you wish to use the Edge instance for.
- Create frontend tokens for the frontend apps that will retrieve feature flags from Edge.
### On Edge
@ -169,8 +169,8 @@ You'll need to configure the proxy and the proxy client SDKs.
For the proxy, configure:
- The Unleash API url. This is your Unleash instance URL followed by `/api`.
- A [client API token](../reference/api-tokens-and-client-keys.mdx#client-tokens). Refer to [how to create API tokens](../how-to/how-to-create-api-tokens.mdx) for the steps to create one.
- One or more [proxy client keys](../reference/api-tokens-and-client-keys.mdx#proxy-client-keys). Refer to the [configuration section of the proxy document](../reference/unleash-proxy#configuration) for more details.
- A [client API token](../reference/api-tokens-and-client-keys#client-tokens).
- One or more [proxy client keys](../reference/api-tokens-and-client-keys#proxy-client-keys). Refer to the [configuration section of the proxy document](../reference/unleash-proxy#configuration) for more details.
For the proxy client SDK, configure:

2
website/docs/understanding-unleash/unleash-overview.md
View File

@ -23,7 +23,7 @@ Before you can connect your application to Unleash you need a Unleash server. Yo
![A visual overview of an Unleash system as described in the following paragraph.](/img/unleash-architecture-edge.png 'System Overview')
- [**Unleash API**](/reference/api/unleash) - The Unleash instance. This is where you create feature flags, configure activation strategies, and parameters, etc. The service that contains all feature flags and their configurations. Configurations declare which activation strategies to use and which parameters they should get.
- **Unleash Admin UI** - The bundled web interface for interacting with the Unleash instance. Manage flags, define strategies, look at metrics, and much more. Use the UI to [create feature flags](/how-to-create-feature-flag), [manage project access roles](../how-to/how-to-create-and-assign-custom-project-roles), [create API tokens](../how-to/how-to-create-api-tokens), and more.
- **Unleash Admin UI** - The bundled web interface for interacting with the Unleash instance. Manage flags, define strategies, look at metrics, and much more. Use the UI to [create feature flags](/how-to-create-feature-flag), [manage project access roles](../how-to/how-to-create-and-assign-custom-project-roles), [create API tokens](/reference/api-tokens-and-client-keys#create-an-api-token), and more.
- [**Unleash SDKs**](../reference/sdks) - Unleash SDKs integrate into your applications and get feature configurations from the Unleash API. Use them to check whether features are enabled or disabled and to send metrics to the Unleash API. [See all our SDKs](../reference/sdks)
- [**Unleash Edge**](../reference/unleash-edge) - The Unleash Edge sits between front-end and native applications on one side and the Unleash API on the other. It can also sit between server-side SDKs and the Unleash API as well. You can scale it independently of the Unleash API to handle large request rates without causing issues for the Unleash API. Edge has all endpoints for the client API, frontend API, and proxy API.

2
website/docs/using-unleash/deploy/getting-started.md
View File

@ -117,7 +117,7 @@ docker run -p 4242:4242 \
## Create an api token for your client {#create-an-api-token-for-your-client}
- [API Token creation](../../how-to/how-to-create-api-tokens.mdx)
- [Create an API token](/reference/api-tokens-and-client-keys#create-an-api-token).
## Test your server and create a sample API call {#test-your-server-and-create-a-sample-api-call}

7
website/docusaurus.config.ts
View File

@ -445,13 +445,6 @@ class="header-github-link"
{
fromExtensions: ['html', 'htm'],
redirects: [
{
to: '/how-to/how-to-create-api-tokens',
from: [
'/user_guide/api-token',
'/deploy/user_guide/api-token',
],
},
{
from: '/advanced/audit_log',
to: '/reference/events',

4
website/sidebars.ts
View File

@ -704,10 +704,6 @@ const sidebars: SidebarsConfig = {
slug: '/how-to/api',
},
items: [
'how-to/how-to-create-api-tokens',
'how-to/how-to-create-personal-access-tokens',
'how-to/how-to-create-project-api-tokens',
'how-to/how-to-create-service-accounts',
'how-to/how-to-download-login-history',
'how-to/how-to-use-the-admin-api',
'how-to/how-to-enable-openapi',

BIN
website/static/img/admin_configure_api.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 72 KiB

BIN
website/static/img/admin_copy_token.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 60 KiB

BIN
website/static/img/admin_create_project_token_form.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 300 KiB

BIN
website/static/img/admin_create_token_form.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 63 KiB

BIN
website/static/img/admin_new_api_key_button.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 36 KiB

BIN
website/static/img/copy_project_token.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 298 KiB

BIN
website/static/img/create-pat-1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 40 KiB

BIN
website/static/img/create-pat-2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 51 KiB

BIN
website/static/img/create-pat-3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 69 KiB

BIN
website/static/img/create-pat-4.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 91 KiB

BIN
website/static/img/create-pat-5.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 92 KiB

BIN
website/static/img/service-account-1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 59 KiB

BIN
website/static/img/service-account-2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 47 KiB

BIN
website/static/img/service-account-3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 162 KiB

BIN
website/static/img/service-account-4.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 130 KiB

BIN
website/static/img/service-account-5.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 127 KiB

BIN
website/static/img/service-account-6.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 46 KiB

BIN
website/static/img/service-account-table.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 46 KiB

BIN
website/static/img/service-account-tokens.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 146 KiB

After

Width:  |  Height:  |  Size: 286 KiB

BIN
website/static/img/token-types-example.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 119 KiB

24
website/vercel.json
View File

@ -33,12 +33,32 @@
},
{
"source": "/user_guide/api-token",
"destination": "/how-to/how-to-create-api-tokens",
"destination": "/reference/api-tokens-and-client-keys",
"permanent": true
},
{
"source": "/deploy/user_guide/api-token",
"destination": "/how-to/how-to-create-api-tokens",
"destination": "/reference/api-tokens-and-client-keys",
"permanent": true
},
{
"source": "/how-to/how-to-create-api-tokens",
"destination": "/reference/api-tokens-and-client-keys#create-an-api-token",
"permanent": true
},
{
"source": "/how-to/how-to-create-project-api-tokens",
"destination": "/reference/api-tokens-and-client-keys#create-an-api-token",
"permanent": true
},
{
"source": "/how-to/how-to-create-personal-access-tokens",
"destination": "/reference/api-tokens-and-client-keys#create-an-api-token",
"permanent": true
},
{
"source": "/how-to/how-to-create-service-accounts",
"destination": "/reference/service-accounts#create-a-service-account",
"permanent": true
},
{