Service Accounts & API Keys

In order to get programmatic access to the features via FeatureHub SDKs, you will need to provide an API Key, so the SDK knows which environment and which application to get your features from. Follow these steps to generate API Keys in FeatureHub Admin UI:

Create a service account (or use existing)
Assign service account permissions (READ, CHANGE_VALUE, LOCK/UNLOCK) to the desired application and environment(s). Two API Keys will get generated - "Client eval API key" and "Server eval API Key"
Copy either "Client eval" or "Server eval" key for the desired application/environment from the API Keys page and pass it into one of the FeatureHub’s SDK config - usually called apiKey property, e.g. in JS SDK EdgeFeatureHubConfig.config(url, apiKey);

See for more details in the below sections.

Service Accounts

You can create a service account from the Service Accounts menu with either Portfolio or Super Admin user permissions. The same service account can be used across multiple environments and applications. We recommend two service accounts be created for an application, one with access to a production environment(s) and the other one for non-production environment(s). However, FeatureHub remains flexible on how customers could split their service accounts according to individual needs.

When service account is created, it is created per portfolio, so you will have an option to add access permissions to any application in the portfolio. (Links to "Add access" or "Change access" for each application should be displayed on the Service Accounts management page.)

Service Account Permissions

You can assign Service Account Permissions from the Application Settings/Service Account Permissions page. Service account permissions are granular and assigned per environment within an application. In order to perform this action you require to have either Portfolio or Super Admin permissions.

READ Read the value of a feature
LOCK Can lock a feature, so its value, strategies or "retire" status can’t be changed, this can provide an additional safety net when deploying incomplete code into production, indicating to the team members that the feature is not ready to be turned "ON" . (Typically, developers and testers keep features locked until they are finished and ready to be set)
UNLOCK Can unlock a feature, so it’s value can be changed
CHANGE_VALUE Can change the value of a feature or can "retire" a feature

CHANGE_VALUE permission supersedes the LOCK/UNLOCK.

API Keys

When a service account is given access permissions for an environment in a selected application, it automatically creates two types of API keys that you can choose from Client Evaluated API Key and Server Evaluated API Key. Read more info on API Keys types here. A service account will need a minimum of READ permission to an environment in order to access a feature value and for the API Keys to get created. You can find and copy the keys from the API Keys menu. Users will need to be in a group with relevant permissions to access the keys.

In case an API key gets compromised there is an option to reset the key and immediately disable the previous one.

Because API Keys are based on a service account ID, it is not possible to reset a single API key at a time, but there is an option to reset service account ID, which in turn will cause reset to all API keys attached to that service account. This could potentially affect multiple applications and multiple environments. Thus, it is recommended to always have a separate Service Account for a production environment. There is also an option to either reset Client evaluated API keys or Server evaluated API keys. Warning is provided before the reset. The option to reset the keys will only be available to Portfolio Admins and Super Admins, since service accounts settings can only be viewed by them. Only Portfolio and Super admins always have full permissions to see in which apps and environments a service account is used.