Tried to do some searching on this so forgive me if this has already been answered. For non self hosted usage, should the api keys be kept out of source control? First thought was yes but you would not be able to avoid that if using frontend clients. Might be a trivial answer that I missed in the docs as well. If this is unavoidable is self hosting a solution if we want to prevent anyone from accessing our feature flag data?

The API keys used with the SDKs are read-only and safe to use client-side. If you don't want to expose the list of features to end users, you can evaluate them using one of our server-side SDKs. We also have a project coming up that adds an encryption option to the API endpoint - https://github.com/growthbook/growthbook/pull/530 . If you use that client-side someone could still in theory inspect the source code and find your encryption key, so it's not perfect, but it will stop any casual users from finding your list of features.

Makes total sense, thanks for the info. Think I was confused about self hosting as well, since you would still be sending the keys from the client as well, although you could to add some protection around the server to block outside requests