For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Sign inTry it free
DocsGuidesSDKsIntegrationsAPI docsTutorialsFlagship blog
DocsGuidesSDKsIntegrationsAPI docsTutorialsFlagship blog
  • SDKs
    • SDK concepts
    • SDK features
      • Aliasing users
      • Anonymous contexts and users
      • Automatic environment attributes
      • Big segments
      • Bootstrapping
      • Configuration
      • Context configuration
      • Customizing AgentControl
      • Data saving mode
      • Evaluating flags
      • Flag evaluation reasons
      • Flushing events
      • Getting all flags
      • Hooks
      • Identifying and changing contexts
      • Inspectors
      • Logging configuration
      • Migrations
      • Monitoring SDK status
      • Multiple environments
      • Offline mode
      • OpenTelemetry in server-side SDKs
      • Private attributes
      • User feedback
      • Reading flags from a file
      • Relay Proxy configuration
      • Secure mode
      • Sending custom events
      • Shutting down
      • Storing data
      • Subscribing to flag changes
      • Test data sources
      • Tracking AI metrics
      • Web proxy configuration
    • Client-side SDKs
    • Server-side SDKs
    • AI SDKs
    • Edge SDKs
    • OpenFeature providers
    • Observability SDKs
    • Relay Proxy
Sign inTry it free
LogoLogo
On this page
  • Overview
  • About secure mode
  • How secure mode works
  • Generate a secure mode hash
  • Server-side SDKs
  • .NET (server-side)
  • Go
  • Haskell
  • Java
  • Node.js (server-side)
  • PHP
  • Python
  • Ruby
  • Rust
  • Edge SDKs
  • Cloudflare
  • Fastly
  • Vercel
  • Compute the hash manually
  • Configure secure mode in JavaScript-based SDKs
  • Electron
  • JavaScript
  • Node.js (client-side)
  • React Web
SDKsSDK features

Secure mode

Was this page helpful?
Previous

Sending custom events

Next
Built with

Overview

This topic explains how to use the secure mode feature to safely evaluate feature flags in a web browser.

About secure mode

Secure mode ensures that customers’ feature flag evaluations are kept private in web browser environments, and that one end user cannot inspect the variations for another end user. On an insecure device, a malicious end user could use a context or user key to identify what flag values another end user receives by analyzing the results of multiple flag evaluations. Secure mode prevents you from doing an evaluation for a context or user key that hasn’t been signed on the backend.

Secure mode is available for communication between the following JavaScript-based SDKs and LaunchDarkly:

  • Electron
  • JavaScript
  • Node.js (client-side)
  • React Web

Secure mode is not necessary for server-side SDKs.

How secure mode works

Secure mode works when you configure your JavaScript-based SDK to include a server-generated HMAC SHA256 hash of your context key or user key. This hash is signed with the SDK key for your environment. Enabling secure mode means that every request coming from a client-side JavaScript-based SDK requires the secure mode hash to evaluate flag variations. You can pass this to your front-end code with the mechanism of your choice, such as bootstrapping or as a template variable.

To use secure mode, you must complete the following:

  1. Enable secure mode for each environment: You can enable secure mode by editing each of your environments from the Environments list of your project in the LaunchDarkly user interface. Secure mode is an environment-wide setting. You can enable secure mode for your environment even if you’re also using SDKs other than JavaScript. Enabling secure mode does not cause those SDKs to fail.
  2. Configure your server-side or edge SDK to generate the secure mode hash: Most LaunchDarkly server-side and edge SDKs include a method to compute the secure mode hash for a key. Alternatively, you can compute the hash yourself. To learn how, read Compute the hash manually. If at any time you reset an environment’s SDK key, you will need to regenerate the secure mode hash.
  3. Send the computed secure mode hash for the context or user to LaunchDarkly: Include the secure mode hash when requesting flag evaluations. The JavaScript-based SDK will send the context or user key and the hash to LaunchDarkly. If the hash doesn’t match, LaunchDarkly returns an error.
Enable secure mode during initial setup

You can enable secure mode at any time when you use LaunchDarkly SDKs. As a best practice, we recommend that you enable secure mode during initial SDK configuration, because late-stage changes to your SDK configuration may have negative interactions with other settings.

To learn more about the secure mode hash process, read How to verify secure mode hash.

Newer versions of LaunchDarkly SDKs replace users with contexts

A context is a generalized way of referring to the people, services, machines, or other resources that encounter feature flags in your product. Contexts replace another data object in LaunchDarkly: “users.” To learn more, read Contexts.

Creating contexts and evaluating flags based on them is supported in the latest major versions of most of our SDKs. For these SDKs, the code samples on this page include the two most recent versions.

Generate a secure mode hash

Details about generating a secure mode hash are available in the SDK-specific sections below:

  • Server-side SDKs
  • Edge SDKs

Server-side SDKs

You can use the following server-side SDKs to generate a secure mode hash:

  • .NET (server-side)
  • Go
  • Haskell
  • Java
  • Node.js (server-side)
  • PHP
  • Python
  • Ruby
  • Rust

.NET (server-side)

Expand .NET (server-side) code sample

The SecureModeHash method computes an HMAC signature of a context signed with the client’s SDK key.

Here is the method:

.NET SDK v7.0 (C#)
1var hash = client.SecureModeHash(context);

Go

Expand Go code sample

The SecureModeHash method computes an HMAC signature of a context signed with the client’s SDK key.

Here is the method:

1// There is not a SecureModeHash method in the LDScopedClient,
2// so you need to access the method from the LDClient.
3// Then, pass in the scoped client's current context.
4// LDScopedClient is in beta and may change without notice.
5scopedClient.Client().SecureModeHash(scopedClient.CurrentContext())

Haskell

Expand Haskell code sample

The secureModeHash method computes an HMAC signature of a context signed with the client’s SDK key.

Here is the method:

Haskell SDK v4.0
1secureModeHash client context

Java

Expand Java code sample

The secureModeHash method computes an HMAC signature of a context signed with the client’s SDK key.

Here is the method:

Java SDK v6.0
1client.secureModeHash(context);

Node.js (server-side)

Expand Node.js (server-side) code sample

The secureModeHash method computes an HMAC signature of a context signed with the client’s SDK key.

Here is the method:

Node.js SDK v7.x and later (JavaScript)
1client.secureModeHash(context);

PHP

Expand PHP code sample

The secureModeHash method computes an HMAC signature of a context signed with the client’s SDK key.

Here is the method:

PHP SDK v5.0
1$hash = $client->secureModeHash($context);

Python

Expand Python code sample

The SecureModeHash method computes an HMAC signature of a context signed with the client’s SDK key.

Here is the method:

Python SDK v8.0
1hash = ldclient.get().secure_mode_hash(context)

Ruby

Expand Ruby code sample

The secure_mode_hash method computes an HMAC signature of a context signed with the client’s SDK key.

Here is the method:

Ruby SDK v7.0
1client.secure_mode_hash(context)

Rust

Expand Rust code sample

The secure_mode_hash method computes an HMAC signature of a context signed with the client’s SDK key.

Here is the method:

1match client.secure_mode_hash(&context) {
2    Ok(hash) => println!("Hash: {}", hash),
3    Err(e) => eprintln!("Failed to compute hash: {}", e),
4}

Edge SDKs

You can use the following edge SDKs to generate a secure mode hash:

  • Cloudflare
  • Fastly
  • Vercel

Cloudflare

Expand Cloudflare code sample

The secureModeHash method computes an HMAC signature of a context signed with the SDK key.

Here is the method:

TypeScript
1const hash = client.secureModeHash(context);

Fastly

Expand Fastly code sample

The secureModeHash method computes an HMAC signature of a context signed with the SDK key.

Here is the method:

TypeScript
1const hash = client.secureModeHash(context);

Vercel

Expand Vercel code sample

The secureModeHash method computes an HMAC signature of a context signed with the SDK key.

Here is the method:

TypeScript
1const hash = client.secureModeHash(context);

Compute the hash manually

To compute the hash manually, locate the server-side SDK key for your environment on the SDK keys page under Settings. Then, compute an HMAC SHA256 hash of the UTF-8 encoding of your context key, using the UTF-8 encoding of your SDK key as a secret, and convert the hash to a hexadecimal string.

Here is a .NET (server-side) example:

C#
1using System;
2using System.Security.Cryptography;
3using System.Text;
4
5var encoding = new UTF8Encoding();
6var keyBytes = encoding.GetBytes("YOUR_SDK_KEY");
7var hmacSha256 = new HMACSHA256(keyBytes);
8var hashBytes = hmacSha256.ComputeHash(encoding.GetBytes("example-context-key"));
9var hashString = BitConverter.ToString(hashBytes).Replace("-", "").ToLower();

Configure secure mode in JavaScript-based SDKs

To use secure mode, you must generate the hash based on a unique identifier for the context. This unique identifier is called a “canonical key” and is a concatenation of the kind and key attributes, separated by a colon (:). For example, if a user context has a key of “example-user-key,” this means you must generate the hash using a canonical key of user:example-user-key. If the context is a multi-context, the canonical key must include the key and kind attribute for each context kind. For example, if a multi-context contains an organization context kind and a user context kind, and they have the keys “example-organization-key” and “example-user-key”, the canonical key is organization:example-organization-key:user:example-user-key.

Secure mode is not compatible with the SDK’s ability to automatically generate keys for anonymous contexts because the SDK needs a correctly calculated hash value. To learn more, read Anonymous contexts and users.

In JavaScript-based SDKs, send the computed secure mode hash for your context as the hash attribute in the LDOptions object during client initialization, and as the hash parameter if subsequently identifying new contexts.

Specifying the computed secure mode hash is supported in the following client-side SDKs:

  • Electron
  • JavaScript
  • Node.js (client-side)
  • React Web

Electron

Expand Electron code sample

Here’s how to configure or send the computed secure mode hash:

Electron SDK
1// client initialization
2const options = {
3  hash: 'example-server-generated-hash',
4};
5const client = LDClient.initialize('example-client-side-id', user, options);
6
7// identification of new user
8client.identify(newUser, hash, function() {
9  console.log("New user's flags available");
10});
11
12// identification of new user, with a Promise
13client.identify(newUser, hash).then(() => {
14  console.log("New user's flags available");
15});

JavaScript

Expand JavaScript code sample

Here’s how to configure or send the computed secure mode hash:

1// client initialization
2const options = {
3  hash: 'example-server-generated-hash',
4};
5const client = LDClient.initialize('example-client-side-id', context, options);
6
7try {
8  await client.waitForInitialization(5);
9  // proceed with successfully initialized client
10
11  // identification of new contexts
12  client.identify(newContext, hash, function() {
13    console.log("New context's flags available");
14  });
15
16} catch(err) {
17  // Client failed to initialized or timed out
18  // variation() calls return fallback values until initialization completes
19}

Node.js (client-side)

Expand Node.js (client-side) code sample

Here’s how to configure or send the computed secure mode hash:

Node.js (client-side) SDK v3 (JavaScript)
1// client initialization
2const options = {
3  hash: 'example-server-generated-hash',
4};
5const client = LDClient.initialize('example-client-side-id', context, options);
6
7// identification of new contexts
8client.identify(newContext, hash, function() {
9  console.log("New context's flags available");
10});
11
12// identification of new contexts, with a Promise
13client.identify(newContext, hash).then(() => {
14  console.log("New context's flags available");
15});

React Web

All context-related functionality provided by the JavaScript SDK is also available in the React Web SDK.