Comment by crabmusket

16 hours ago

Looking at the docs for their JS SDK, they have this warning:

> The client provider requires an API token to fetch flag values. This token is not scoped to a single app, so anyone with the token can evaluate flags across all apps in your account. Use the client provider with caution in public-facing applications.

https://developers.cloudflare.com/flagship/sdk/client-provid...

Can anyone clarify... why the client SDK, designed to be deployed to browsers, requires caution? Does this mean that any client could send requests with a new targetingKey and observe other users' flags?

While flags probably shouldn't be critical information, this seems like an interesting design choice.

29 comments

crabmusket

OptionOfT 15 hours ago

Let's think about it. This is probably something used internally at CloudFlare and someone thought I'd be interesting to make it public.

There is no way 6 months ago someone at CloudFlare thought it was a good idea to build a competitor to say LaunchDarkly.

jasonjmcghee 15 hours ago
Hmm not sure I necessarily agree. Cloudflare's strategy has been looking like "the only platform you need" for a while now.
Their recent features / announcements have been equivalent to:
(LaunchDarkly)
Resend, Firecrawl, CrewAI, Helicone, Replicate, Pinecone
-
Which like… many companies have a painful procurement process. If all you need is Cloudflare, and prices are within reason- why not use them
- gowthamgts12 13 hours ago
  
  Their quality of the products they ship have already became shitty for quite a while now.
  
  2 replies →
- stingraycharles 13 hours ago
  
  Don’t forget they now also have an OpenRouter alternative.
  
  1 reply →
bg24 15 hours ago
Both Cloudflare and Vercel have feature parity. Flags is a feature already in Vercel. While customer-first is a thing, it is also a no-brainer to start with: we use it, Vercel has it, let us build it.
- pjmlp 11 hours ago
  
  Now waiting for Cloudflare to allow me to use Rust for serverless, real native code, not WebAssembly.
  https://vercel.com/docs/functions/runtimes/rust
  
  3 replies →
roerohan 13 hours ago
https://blog.cloudflare.com/flagship
Here's why we built it!
- Hamuko 13 hours ago
  
  >Agentic coding tools like OpenCode and Claude Code are shipping entire features in minutes.
  How many minutes do I need to wait until app-scoped tokens are live?
  
  1 reply →
- philipwhiuk 6 hours ago
  
  Ah, no-look coding.
  How can we possibly trust the AI to disable the 'CODE_IS_SKYNET' flag.
wahnfrieden 15 hours ago

Care to share why

roerohan 13 hours ago

Hi! One of the engineers from the Flagship team here, app-scoped tokens are WIP.

stingraycharles 13 hours ago
That sounds like the product is not finished and should not be released?
- nine_k 10 hours ago
  
  "If you are not ashamed by what you are shipping, you are not shipping early enough" (Quoting from memory)
  
  3 replies →
- ai_fry_ur_brain 12 hours ago
  
  This has been the Cloudflare standard operating procedure for the last year or so. Non stop shipping alpha/beta products.
  
  1 reply →
yuretz 13 hours ago

Is it perhaps available behind a flag somewhere?
Craighead 13 hours ago

Then it's not finished?

jjcm 14 hours ago

Jane Wong salivating reading this