Skip to main content
After you generate an API key, you can adjust two settings at any time from the Developers section: the key’s status and its allowed IP addresses. These controls let you respond quickly to security events and lock down keys to known infrastructure without generating new credentials.

Access your keys

Navigate to Developers in the Foff dashboard navigation bar. Every key associated with your workspace is listed here, along with its current status and any configured IP restrictions.

Key settings

Status

Each key can be enabled or disabled.
  • Enabled — the key is active and any request using it will be authenticated normally.
  • Disabled — the key is deactivated and all requests using it will be rejected immediately.
Disabling a key takes effect immediately. Any service or client currently using that key will stop receiving feature flag values until you re-enable the key or the service is updated to use a new one.
When to disable a key: If you suspect a key has been leaked or is being used without authorization, disable it right away to stop access. Then generate a new key, update your services, and delete the old key once you have confirmed the rotation is complete.

Allowed IP addresses

You can restrict a key to a list of specific IP addresses. When IP allowlisting is configured, only requests originating from those addresses will be authenticated. Requests from any other IP — even with a valid key — will be rejected. When to restrict IPs: Use IP restrictions for server-side integrations where the calling IP is known and stable, such as:
  • A backend API server deployed to a fixed IP or IP range.
  • A CI/CD pipeline running in a cloud environment with static egress IPs.
  • An internal tool hosted on a corporate network.
Do not apply IP restrictions to keys used by client-side or mobile applications, where the originating IP is unpredictable.

Organizing keys across environments

Create separate API keys for each environment — production, staging, and development. This makes it straightforward to rotate or disable a single environment’s key without affecting others, and gives you a clear audit trail of which key is used where.
A practical setup:
EnvironmentKey nameIP restriction
Productionprod-serverProduction server IP
Stagingstaging-serverStaging server IP
Developmentdev-localNone

Rotating a compromised key

  1. Disable the compromised key immediately in the Developers section.
  2. Generate a new key (see Creating an API Key).
  3. Update your environment variables or secrets manager with the new key value.
  4. Deploy your services with the updated key.
  5. Confirm the new key is working, then delete the old key if no longer needed.