Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
launchdarkly-api-typescript
Advanced tools
This repository contains a client library for LaunchDarkly's REST API. This client was automatically generated from our OpenAPI specification using a code generation library.
This REST API is for custom integrations, data export, or automating your feature flag workflows. DO NOT use this client library to include feature flags in your web or mobile application. To integrate feature flags with your application, read the SDK documentation.
This client library is only compatible with the latest version of our REST API, version 20220603
. Previous versions of this client library, prior to version 10.0.0, are only compatible with earlier versions of our REST API. When you create an access token, you can set the REST API version associated with the token. By default, API requests you send using the token will use the specified API version. To learn more, read Versioning.
View our sample code for example usage.
LaunchDarkly's REST API uses the HTTPS protocol with a minimum TLS version of 1.2.
All REST API resources are authenticated with either personal or service access tokens, or session cookies. Other authentication mechanisms are not supported. You can manage personal access tokens on your Authorization page in the LaunchDarkly UI.
LaunchDarkly also has SDK keys, mobile keys, and client-side IDs that are used by our server-side SDKs, mobile SDKs, and JavaScript-based SDKs, respectively. These keys cannot be used to access our REST API. These keys are environment-specific, and can only perform read-only operations such as fetching feature flag settings.
Auth mechanism | Allowed resources | Use cases |
---|---|---|
Personal or service access tokens | Can be customized on a per-token basis | Building scripts, custom integrations, data export. |
SDK keys | Can only access read-only resources specific to server-side SDKs. Restricted to a single environment. | Server-side SDKs |
Mobile keys | Can only access read-only resources specific to mobile SDKs, and only for flags marked available to mobile keys. Restricted to a single environment. | Mobile SDKs |
Client-side ID | Can only access read-only resources specific to JavaScript-based client-side SDKs, and only for flags marked available to client-side. Restricted to a single environment. | Client-side JavaScript |
Keep your access tokens and SDK keys private
Access tokens should never be exposed in untrusted contexts. Never put an access token in client-side JavaScript, or embed it in a mobile application. LaunchDarkly has special mobile keys that you can embed in mobile apps. If you accidentally expose an access token or SDK key, you can reset it from your Authorization page.
The client-side ID is safe to embed in untrusted contexts. It's designed for use in client-side JavaScript.
The preferred way to authenticate with the API is by adding an Authorization
header containing your access token to your requests. The value of the Authorization
header must be your access token.
Manage personal access tokens from the Authorization page.
For testing purposes, you can make API calls directly from your web browser. If you are logged in to the LaunchDarkly application, the API will use your existing session to authenticate calls.
If you have a role other than Admin, or have a custom role defined, you may not have permission to perform some API calls. You will receive a 401
response code in that case.
Modifying the Origin header causes an error
LaunchDarkly validates that the Origin header for any API request authenticated by a session cookie matches the expected Origin header. The expected Origin header is
https://app.launchdarkly.com
.If the Origin header does not match what's expected, LaunchDarkly returns an error. This error can prevent the LaunchDarkly app from working correctly.
Any browser extension that intentionally changes the Origin header can cause this problem. For example, the
Allow-Control-Allow-Origin: *
Chrome extension changes the Origin header tohttp://evil.com
and causes the app to fail.To prevent this error, do not modify your Origin header.
LaunchDarkly does not require origin matching when authenticating with an access token, so this issue does not affect normal API usage.
All resources expect and return JSON response bodies. Error responses also send a JSON body. To learn more about the error format of the API, read Errors.
In practice this means that you always get a response with a Content-Type
header set to application/json
.
In addition, request bodies for PATCH
, POST
, and PUT
requests must be encoded as JSON with a Content-Type
header set to application/json
.
When you fetch a list of resources, the response includes only the most important attributes of each resource. This is a summary representation of the resource. When you fetch an individual resource, such as a single feature flag, you receive a detailed representation of the resource.
The best way to find a detailed representation is to follow links. Every summary representation includes a link to its detailed representation.
Sometimes the detailed representation of a resource does not include all of the attributes of the resource by default. If this is the case, the request method will clearly document this and describe which attributes you can include in an expanded response.
To include the additional attributes, append the expand
request parameter to your request and add a comma-separated list of the attributes to include. For example, when you append ?expand=members,maintainers
to the Get team endpoint, the expanded response includes both of these attributes.
The best way to navigate the API is by following links. These are attributes in representations that link to other resources. The API always uses the same format for links:
_links
object_site
linkEach link has two attributes:
href
, which contains the URLtype
, which describes the content typeFor example, a feature resource might return the following:
{
\"_links\": {
\"parent\": {
\"href\": \"/api/features\",
\"type\": \"application/json\"
},
\"self\": {
\"href\": \"/api/features/sort.order\",
\"type\": \"application/json\"
}
},
\"_site\": {
\"href\": \"/features/sort.order\",
\"type\": \"text/html\"
}
}
From this, you can navigate to the parent collection of features by following the parent
link, or navigate to the site page for the feature by following the _site
link.
Collections are always represented as a JSON object with an items
attribute containing an array of representations. Like all other representations, collections have _links
defined at the top level.
Paginated collections include first
, last
, next
, and prev
links containing a URL with the respective set of elements in the collection.
Resources that accept partial updates use the PATCH
verb. Most resources support the JSON patch format. Some resources also support the JSON merge patch format, and some resources support the semantic patch format, which is a way to specify the modifications to perform as a set of executable instructions. Each resource supports optional comments that you can submit with updates. Comments appear in outgoing webhooks, the audit log, and other integrations.
When a resource supports both JSON patch and semantic patch, we document both in the request method. However, the specific request body fields and descriptions included in our documentation only match one type of patch or the other.
JSON patch is a way to specify the modifications to perform on a resource. JSON patch uses paths and a limited set of operations to describe how to transform the current state of the resource into a new state. JSON patch documents are always arrays, where each element contains an operation, a path to the field to update, and the new value.
For example, in this feature flag representation:
{
\"name\": \"New recommendations engine\",
\"key\": \"engine.enable\",
\"description\": \"This is the description\",
...
}
You can change the feature flag's description with the following patch document:
[{ \"op\": \"replace\", \"path\": \"/description\", \"value\": \"This is the new description\" }]
You can specify multiple modifications to perform in a single request. You can also test that certain preconditions are met before applying the patch:
[
{ \"op\": \"test\", \"path\": \"/version\", \"value\": 10 },
{ \"op\": \"replace\", \"path\": \"/description\", \"value\": \"The new description\" }
]
The above patch request tests whether the feature flag's version
is 10
, and if so, changes the feature flag's description.
Attributes that are not editable, such as a resource's _links
, have names that start with an underscore.
JSON merge patch is another format for specifying the modifications to perform on a resource. JSON merge patch is less expressive than JSON patch. However, in many cases it is simpler to construct a merge patch document. For example, you can change a feature flag's description with the following merge patch document:
{
\"description\": \"New flag description\"
}
Some resources support the semantic patch format. A semantic patch is a way to specify the modifications to perform on a resource as a set of executable instructions.
Semantic patch allows you to be explicit about intent using precise, custom instructions. In many cases, you can define semantic patch instructions independently of the current state of the resource. This can be useful when defining a change that may be applied at a future date.
To make a semantic patch request, you must append domain-model=launchdarkly.semanticpatch
to your Content-Type
header.
Here's how:
Content-Type: application/json; domain-model=launchdarkly.semanticpatch
If you call a semantic patch resource without this header, you will receive a 400
response because your semantic patch will be interpreted as a JSON patch.
The body of a semantic patch request takes the following properties:
comment
(string): (Optional) A description of the update.environmentKey
(string): (Required for some resources only) The environment key.instructions
(array): (Required) A list of actions the update should perform. Each action in the list must be an object with a kind
property that indicates the instruction. If the instruction requires parameters, you must include those parameters as additional fields in the object. The documentation for each resource that supports semantic patch includes the available instructions and any additional parameters.For example:
{
\"comment\": \"optional comment\",
\"instructions\": [ {\"kind\": \"turnFlagOn\"} ]
}
If any instruction in the patch encounters an error, the endpoint returns an error and will not change the resource. In general, each instruction silently does nothing if the resource is already in the state you request.
You can submit optional comments with PATCH
changes.
To submit a comment along with a JSON patch document, use the following format:
{
\"comment\": \"This is a comment string\",
\"patch\": [{ \"op\": \"replace\", \"path\": \"/description\", \"value\": \"The new description\" }]
}
To submit a comment along with a JSON merge patch document, use the following format:
{
\"comment\": \"This is a comment string\",
\"merge\": { \"description\": \"New flag description\" }
}
To submit a comment along with a semantic patch, use the following format:
{
\"comment\": \"This is a comment string\",
\"instructions\": [ {\"kind\": \"turnFlagOn\"} ]
}
The API always returns errors in a common format. Here's an example:
{
\"code\": \"invalid_request\",
\"message\": \"A feature with that key already exists\",
\"id\": \"30ce6058-87da-11e4-b116-123b93f75cba\"
}
The code
indicates the general class of error. The message
is a human-readable explanation of what went wrong. The id
is a unique identifier. Use it when you're working with LaunchDarkly Support to debug a problem with a specific API call.
Code | Definition | Description | Possible Solution |
---|---|---|---|
400 | Invalid request | The request cannot be understood. | Ensure JSON syntax in request body is correct. |
401 | Invalid access token | Requestor is unauthorized or does not have permission for this API call. | Ensure your API access token is valid and has the appropriate permissions. |
403 | Forbidden | Requestor does not have access to this resource. | Ensure that the account member or access token has proper permissions set. |
404 | Invalid resource identifier | The requested resource is not valid. | Ensure that the resource is correctly identified by ID or key. |
405 | Method not allowed | The request method is not allowed on this resource. | Ensure that the HTTP verb is correct. |
409 | Conflict | The API request can not be completed because it conflicts with a concurrent API request. | Retry your request. |
422 | Unprocessable entity | The API request can not be completed because the update description can not be understood. | Ensure that the request body is correct for the type of patch you are using, either JSON patch or semantic patch. |
429 | Too many requests | Read Rate limiting. | Wait and try again later. |
The LaunchDarkly API supports Cross Origin Resource Sharing (CORS) for AJAX requests from any origin. If an Origin
header is given in a request, it will be echoed as an explicitly allowed origin. Otherwise the request returns a wildcard, Access-Control-Allow-Origin: *
. For more information on CORS, read the CORS W3C Recommendation. Example CORS headers might look like:
Access-Control-Allow-Headers: Accept, Content-Type, Content-Length, Accept-Encoding, Authorization
Access-Control-Allow-Methods: OPTIONS, GET, DELETE, PATCH
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 300
You can make authenticated CORS calls just as you would make same-origin calls, using either token or session-based authentication. If you are using session authentication, you should set the withCredentials
property for your xhr
request to true
. You should never expose your access tokens to untrusted entities.
We use several rate limiting strategies to ensure the availability of our APIs. Rate-limited calls to our APIs return a 429
status code. Calls to our APIs include headers indicating the current rate limit status. The specific headers returned depend on the API route being called. The limits differ based on the route, authentication mechanism, and other factors. Routes that are not rate limited may not contain any of the headers described below.
Rate limiting and SDKs
LaunchDarkly SDKs are never rate limited and do not use the API endpoints defined here. LaunchDarkly uses a different set of approaches, including streaming/server-sent events and a global CDN, to ensure availability to the routes used by LaunchDarkly SDKs.
Authenticated requests are subject to a global limit. This is the maximum number of calls that your account can make to the API per ten seconds. All service and personal access tokens on the account share this limit, so exceeding the limit with one access token will impact other tokens. Calls that are subject to global rate limits may return the headers below:
Header name | Description |
---|---|
X-Ratelimit-Global-Remaining | The maximum number of requests the account is permitted to make per ten seconds. |
X-Ratelimit-Reset | The time at which the current rate limit window resets in epoch milliseconds. |
We do not publicly document the specific number of calls that can be made globally. This limit may change, and we encourage clients to program against the specification, relying on the two headers defined above, rather than hardcoding to the current limit.
Some authenticated routes have custom rate limits. These also reset every ten seconds. Any service or personal access tokens hitting the same route share this limit, so exceeding the limit with one access token may impact other tokens. Calls that are subject to route-level rate limits return the headers below:
Header name | Description |
---|---|
X-Ratelimit-Route-Remaining | The maximum number of requests to the current route the account is permitted to make per ten seconds. |
X-Ratelimit-Reset | The time at which the current rate limit window resets in epoch milliseconds. |
A route represents a specific URL pattern and verb. For example, the Delete environment endpoint is considered a single route, and each call to delete an environment counts against your route-level rate limit for that route.
We do not publicly document the specific number of calls that an account can make to each endpoint per ten seconds. These limits may change, and we encourage clients to program against the specification, relying on the two headers defined above, rather than hardcoding to the current limits.
We also employ IP-based rate limiting on some API routes. If you hit an IP-based rate limit, your API response will include a Retry-After
header indicating how long to wait before re-trying the call. Clients must wait at least Retry-After
seconds before making additional calls to our API, and should employ jitter and backoff strategies to avoid triggering rate limits again.
We have a complete OpenAPI (Swagger) specification for our API.
We auto-generate multiple client libraries based on our OpenAPI specification. To learn more, visit the collection of client libraries on GitHub. You can also use this specification to generate client libraries to interact with our REST API in your language of choice.
Our OpenAPI specification is supported by several API-based tools such as Postman and Insomnia. In many cases, you can directly import our specification to explore our APIs.
Some firewalls and HTTP clients restrict the use of verbs other than GET
and POST
. In those environments, our API endpoints that use DELETE
, PATCH
, and PUT
verbs are inaccessible.
To avoid this issue, our API supports the X-HTTP-Method-Override
header, allowing clients to "tunnel" DELETE
, PATCH
, and PUT
requests using a POST
request.
For example, to call a PATCH
endpoint using a POST
request, you can include X-HTTP-Method-Override:PATCH
as a header.
We sometimes release new API resources in beta status before we release them with general availability.
Resources that are in beta are still undergoing testing and development. They may change without notice, including becoming backwards incompatible.
We try to promote resources into general availability as quickly as possible. This happens after sufficient testing and when we're satisfied that we no longer need to make backwards-incompatible changes.
We mark beta resources with a "Beta" callout in our documentation, pictured below:
This feature is in beta
To use this feature, pass in a header including the
LD-API-Version
key with value set tobeta
. Use this header with each call. To learn more, read Beta resources.Resources that are in beta are still undergoing testing and development. They may change without notice, including becoming backwards incompatible.
To use a beta resource, you must include a header in the request. If you call a beta resource without this header, you receive a 403
response.
Use this header:
LD-API-Version: beta
The version of LaunchDarkly that is available on domains controlled by the United States government is different from the version of LaunchDarkly available to the general public. If you are an employee or contractor for a United States federal agency and use LaunchDarkly in your work, you likely use the federal instance of LaunchDarkly.
If you are working in the federal instance of LaunchDarkly, the base URI for each request is https://app.launchdarkly.us
. In the "Try it" sandbox for each request, click the request path to view the complete resource path for the federal environment.
To learn more, read LaunchDarkly in federal environments.
We try hard to keep our REST API backwards compatible, but we occasionally have to make backwards-incompatible changes in the process of shipping new features. These breaking changes can cause unexpected behavior if you don't prepare for them accordingly.
Updates to our REST API include support for the latest features in LaunchDarkly. We also release a new version of our REST API every time we make a breaking change. We provide simultaneous support for multiple API versions so you can migrate from your current API version to a new version at your own pace.
You can set the API version on a specific request by sending an LD-API-Version
header, as shown in the example below:
LD-API-Version: 20240415
The header value is the version number of the API version you would like to request. The number for each version corresponds to the date the version was released in yyyymmdd
format. In the example above the version 20240415
corresponds to April 15, 2024.
When you create an access token, you must specify a specific version of the API to use. This ensures that integrations using this token cannot be broken by version changes.
Tokens created before versioning was released have their version set to 20160426
, which is the version of the API that existed before the current versioning scheme, so that they continue working the same way they did before versioning.
If you would like to upgrade your integration to use a new API version, you can explicitly set the header described above.
Best practice: Set the header for every client or integration
We recommend that you set the API version header explicitly in any client or integration you build.
Only rely on the access token API version during manual testing.
<div style="width:75px">Version | Changes | End of life (EOL) |
---|---|---|
20240415 |
| Current |
20220603 |
| 2025-04-15 |
20210729 |
| 2023-06-03 |
20191212 |
| 2022-07-29 |
20160426 |
| 2020-12-12 |
To learn more about how EOL is determined, read LaunchDarkly's End of Life (EOL) Policy.
This generator creates TypeScript/JavaScript client that utilizes axios. The generated Node module can be used in the following environments:
Environment
Language level
Module system
It can be used in both TypeScript and JavaScript. In TypeScript, the definition should be automatically resolved via package.json
. (Reference)
To build and compile the typescript sources to javascript use:
npm install
npm run build
First build the package then run npm publish
navigate to the folder of your consuming project and run one of the following commands.
published:
npm install launchdarkly-api-typescript@17.0.0 --save
unPublished (not recommended):
npm install PATH_TO_GENERATED_PACKAGE --save
import { FeatureFlagsApi, Configuration, FeatureFlagBody } from "launchdarkly-api-typescript";
const apiToken = process.env.LD_API_KEY;
const config = new Configuration({apiKey: apiToken});
let apiInstance = new FeatureFlagsApi(config);
const successCallback = function(res){
console.log('API called successfully. Returned data: ' + JSON.stringify(res.data));
};
const errorCallback = function(error) {
console.error('Error!', error);
process.exit(1);
};
const createSuccessCallback = function(res){
successCallback(res);
// Clean up
apiInstance.deleteFeatureFlag(projectName, keyName).then(successCallback, errorCallback);
};
const projectName = "openapi";
const keyName = "test-typescript";
const flagBody: FeatureFlagBody = {
name: "Test Flag Typescript",
key: keyName,
variations: [{value: [1, 2]}, {value: [3, 4]}, {value: [5]}]
};
apiInstance.deleteFeatureFlag(projectName, keyName)
.then(() => {
console.log("flag deleted")
apiInstance.postFeatureFlag(projectName, flagBody).then(createSuccessCallback, errorCallback);
})
.catch((err) => {
if (err?.response?.status == 404) {
console.log("No flag to cleanup")
} else {
errorCallback(err)
}
apiInstance.postFeatureFlag(projectName, flagBody).then(createSuccessCallback, errorCallback);
})
FAQs
OpenAPI client for launchdarkly-api-typescript
The npm package launchdarkly-api-typescript receives a total of 12,206 weekly downloads. As such, launchdarkly-api-typescript popularity was classified as popular.
We found that launchdarkly-api-typescript demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.