API Authentication
All Flagstack API requests require authentication using an API token.
Creating an API Token
Create API tokens in the Flagstack dashboard:
- Navigate to your organization's API Tokens page
- Click New Token
- Give your token a descriptive name (e.g., "Production Server")
- Select the environment this token will access
- Copy the token — it won't be shown again
Using the Token
Include your API token in the Authorization header:
$ curl -H "Authorization: Bearer YOUR_API_TOKEN" \
https://flagstack.io/api/v1/features
Token Scopes
Each token is scoped to a specific environment. A production token can only access production flag states.
Read-only Access
API tokens can read feature flag states but cannot modify them. Use the dashboard to make changes.
Error Responses
Invalid or missing tokens return a 401 Unauthorized response:
{
"error": "Unauthorized",
"message": "Invalid or missing API token"
}
Keep your tokens secure
Never commit API tokens to version control. Use environment variables or a secrets manager. Rotate tokens if they may have been exposed.
Base URL
All API requests should be made to:
https://flagstack.io/api/v1