Hi all, I am integrating GrowthBook SDK (java sdk) with my spring boot web-application. I am curious if client key is supposed to treated as secret or not. Basically, i am using only in backend-side and no users can access this key but I just want to make sure I treat this key correctly (e.g. save it in secrets manager).
01/18/2024, 8:15 AM
not super secret - it will decrypt attributes, so on the server its not strictly necessary.
01/18/2024, 8:44 AM
Can you clarify more about "not super secret" ? It is still secret but just not really sensitive ?
To expand my use case, my company has policy to not include any secrets in code/repo so if it is secret, I will need to keep it in aws secrets manager and if it is not secret, I can keep it in repo.
01/18/2024, 3:40 PM
The client_key is not required to be treated as a secret key and it is OK to expose the client_key on the client side. However, the client key will allow users to see your feature flag list and rules.
If you want to add an extra layer of security, you can encrypt the /features endpoint for a given API key to make it harder for someone to access the feature flag list and rules. The encrypted features would need to be decrypted on the client side using a decryption key.
01/18/2024, 6:02 PM
Thank you. This helps a lot! I'll look into encryption.