Skip to main content
Flipt v2 introduces an enhanced authorization system that provides environment-aware, hierarchical access control. This system builds upon v1โ€™s foundation while adding support for multi-environment deployments. Flipt supports the ability to secure its core API routes by setting the required field to true on the authorization configuration object.
config.yaml
When authorization is set to required, the API will ensure valid credentials are present on all management API requests.
Once authorization has been set to required: true all management API routes will require a valid authentication session as well.The UI will require a session-compatible authentication method (e.g. OIDC) to be enabled.

Backends

Flipt uses Open Policy Agent (OPA) to enforce authorization policies. OPA is a general-purpose policy engine that can be used to enforce policies across the stack. Flipt supports sourcing policies and external data from various backends. Currently, Flipt supports the following backends:

Local

Flipt supports loading policy and external data from the local filesystem.

Policies

For configuring policies, the files must be valid Rego files. You can specify the path to the policy file in the policy object in the authorization configuration object.
The policy must have the following package declaration:
policy.rego
Flipt v2 uses package flipt.authz.v2 instead of v1โ€™s package flipt.authz.v1. This is a breaking change that reflects the enhanced authorization model.

Polling Interval

Flipt will poll the policy file for changes at a regular interval. By default, Flipt will poll the policy file every 5 minutes. You can adjust this interval by setting the poll_interval field in the policy object.

External Data

In addition to policies that can be used to enforce authorization rules, Flipt also provides a way to pass external data to the policy evaluation from the local filesystem. These data objects must be valid JSON objects. This can be done by setting the data object in the authorization configuration object.

Polling Interval

Like policies, Flipt will poll data files for changes at a regular interval. By default, Flipt will poll the data file every 30 seconds. You can adjust this interval by setting the poll_interval field in the data object.

Key Differences from v1

Flipt v2 authorization introduces several important changes:

1. Environment-Aware Authorization

Unlike v1, which operates at the namespace level, v2 introduces a hierarchical model with environments:
  • Global scope: Full access to all environments and namespaces
  • Environment scope: Manage namespaces within specific environments
  • Namespace scope: Manage resources (flags, segments, etc.) within specific namespaces

2. Optional Policy Queries for UI Filtering

v2 policies can optionally implement two special queries to enable UI filtering. When implemented, these queries allow the Flipt UI to show only the environments and namespaces that users have access to:
These queries are optional. If not implemented, the UI will show all environments and namespaces, but authorization will still be enforced when users attempt to access them.Implementing these queries improves the user experience by filtering out inaccessible resources in the UI.

3. Simplified Request Structure

v2 uses a simplified request structure with scope field:

Example Policies

Basic RBAC Policy

Hereโ€™s a complete example of a v2 RBAC policy:
policy.rego

Example Data Structure

The accompanying data.json file defines role bindings:
data.json
This structure allows:
  • Global admins: Full access to everything
  • Platform team: Manage all namespaces in production, read/update in staging
  • Developers: Full access to specific namespaces in development, read-only in staging

Migration from v1

When migrating from v1 to v2:
  1. Update package declaration from flipt.authz.v1 to flipt.authz.v2
  2. Add environment context to your role bindings
  3. Optionally implement the UI filtering queries: viewable_environments and viewable_namespaces(env) for better UX
  4. Update request handling to use the new scope field instead of resource/subject
  5. Remove bundle configurations as theyโ€™re not supported in v2 (yet)
Existing v1 policies will not work without modification. Plan your migration carefully and test thoroughly before deploying to production.