Looking at the docs for their JS SDK, they have this warning: > The client provider requires an...

crabmusket • today at 1:25 AM • 1 reply • view on HN

Looking at the docs for their JS SDK, they have this warning:

> The client provider requires an API token to fetch flag values. This token is not scoped to a single app, so anyone with the token can evaluate flags across all apps in your account. Use the client provider with caution in public-facing applications.

https://developers.cloudflare.com/flagship/sdk/client-provid...

Can anyone clarify... why the client SDK, designed to be deployed to browsers, requires caution? Does this mean that any client could send requests with a new targetingKey and observe other users' flags?

While flags probably shouldn't be critical information, this seems like an interesting design choice.

Replies

OptionOfT • today at 1:34 AM

Let's think about it. This is probably something used internally at CloudFlare and someone thought I'd be interesting to make it public.

There is no way 6 months ago someone at CloudFlare thought it was a good idea to build a competitor to say LaunchDarkly.

➕ show 3 replies

alt Hacker News

Replies