Rollgate
Sign inSign up

Authentication

Rollgate uses API keys for authentication. Different key types provide different levels of access.

API Key Types

Client Keyrg_client_...

Client keys are designed for frontend applications. They provide read-only access to flag values.

  • Safe to expose in client-side code
  • Can fetch flag values
  • Can use SSE streaming
  • Cannot create/update/delete flags
Server Keyrg_server_...

Server keys provide full API access and should only be used in secure server environments.

  • Never expose in client-side code
  • Full read/write access to flags
  • Can manage projects and users
  • Required for the management API

Using API Keys

Include your API key in the Authorization header:

curl https://api.rollgate.io/api/v1/sdk/flags \
  -H "Authorization: Bearer rg_client_your_key_here"

Creating API Keys

  1. 1Log in to your Rollgate dashboard
  2. 2Navigate to Settings → API Keys
  3. 3Click Create API Key
  4. 4Select the key type (Client or Server)
  5. 5Copy and securely store your key

Security Best Practices

  • • Never commit API keys to version control
  • • Use environment variables for key storage
  • • Rotate keys periodically (recommended: every 90 days)
  • • Use client keys for frontend, server keys for backend only
  • • Revoke compromised keys immediately

Key Rotation Strategy

For production environments, rotate API keys regularly to minimize exposure risk:

  1. 1Create a new key in the dashboard while the old key is still active
  2. 2Update your application to use the new key (via environment variable)
  3. 3Deploy and verify the new key works correctly in production
  4. 4Revoke the old key once all deployments are using the new key

Both keys remain valid during the transition, allowing zero-downtime rotation.

Environment Scoping

Each API key is scoped to a specific environment (development, staging, production). This ensures isolation between environments:

EnvironmentKey UsageRecommended Access
developmentLocal testing, CI/CDAll developers
stagingPre-production testingDev team + QA
productionLive user trafficDevOps + Senior devs only

Audit Trail

All API key operations are logged for compliance and security auditing:

  • Key creation: Who created, when, for which environment
  • Key revocation: Who revoked, when, reason (if provided)
  • Flag changes: All flag modifications include the API key used
  • Access logs: Available for enterprise plans

Compliance Considerations

GDPR / Data Protection

  • • API keys do not contain PII
  • • User context is hashed, not stored
  • • Flag evaluations are not logged with user data
  • • Right to erasure supported via API

SOC 2 / Security Controls

  • • Key rotation support
  • • Environment isolation
  • • Audit logging
  • • Least-privilege access (client vs server keys)