> ## Documentation Index
> Fetch the complete documentation index at: https://confidence.spotify.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Set Up Flag Clients

> Learn how to create flag clients and manage their credentials.

export const HowToSchema = ({name, description, steps = []}) => {
  const schema = {
    "@context": "https://schema.org",
    "@type": "HowTo",
    name,
    description
  };
  if (steps.length > 0) {
    schema.step = steps.map((s, i) => ({
      "@type": "HowToStep",
      position: i + 1,
      name: typeof s === "string" ? s : s.name,
      text: typeof s === "string" ? s : s.text || s.name
    }));
  }
  return <script type="application/ld+json" dangerouslySetInnerHTML={{
    __html: JSON.stringify(schema)
  }} />;
};

<HowToSchema
  name="Set Up Flag Clients"
  description="Learn how to create flag clients and manage their credentials."
  steps={[
{
  name: "Create a Flag Client",
  text: "To create a client, provide a display name that identifies the application: Response:",
},
{
  name: "Create Client Credentials",
  text: "After creating a client, generate credentials (client secret) for authentication: Response: Make note of the client secret. It's only returned once, from the create operation. If you lose it, you have to create a new one.",
},
{
  name: "Use Client Secrets",
  text: "The client secret authenticates when resolving and applying flags. Unlike other API operations that use Bearer tokens, resolve and apply operations use the client secret directly:",
},
{ name: "List Clients", text: "To view all clients in your account:" },
{
  name: "Get a Specific Client",
  text: "To retrieve details about a specific client:",
},
{
  name: "Rotate Client Secrets",
  text: "For security best practices, periodically rotate client secrets: 1. Create a new credential for the client 2. Update your application to use the new secret",
},
]}
/>

Clients resolve flags into values. A client could be a mobile app, website, or backend service. These clients often run in an untrusted environment and authenticate with a different mechanism than service APIs of Confidence.

The calling client authenticates using a shared secret between the caller and Confidence. This secret, called "client secret," belongs to a client resource in Confidence.

## Create a Flag Client

To create a client, provide a display name that identifies the application:

```bash theme={null}
curl -X POST "https://iam.confidence.dev/v1/clients" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "displayName": "My client"
  }'
```

Response:

```json theme={null}
{
  "name": "clients/1bhq4c2zqigdzqg6ufni",
  "displayName": "My client",
  "createTime": "2023-08-29T09:36:57.163017Z",
  "updateTime": "2023-08-29T09:36:57.163017Z"
}
```

## Create Client Credentials

After creating a client, generate credentials (client secret) for authentication:

```bash theme={null}
curl -X POST "https://iam.confidence.dev/v1/clients/1bhq4c2zqigdzqg6ufni/credentials" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/json"
```

Response:

```json theme={null}
{
  "name": "clients/1bhq4c2zqigdzqg6ufni/credentials/abc123",
  "secret": "ZXhhbXBsZV9zZWNyZXRfa2V5X3RoYXRfeW91X3Nob3VsZF9rZWVwX3NhZmU",
  "createTime": "2023-08-29T09:40:12.456789Z"
}
```

<Note>
  Make note of the client secret. It's only returned once, from the create operation. If you lose it, you have to create a new one.
</Note>

<Warning>
  Store the client secret securely. Anyone with this secret can resolve flags on behalf of this client.
</Warning>

## Use Client Secrets

The client secret authenticates when resolving and applying flags. Unlike other API operations that use Bearer tokens, resolve and apply operations use the client secret directly:

```bash theme={null}
curl -X POST "https://flags.confidence.dev/v1/flags:resolve" \
  -H "Content-Type: application/json" \
  -d '{
    "clientSecret": "YOUR_CLIENT_SECRET",
    "evaluationContext": {
      "user_id": "example-user"
    }
  }'
```

## List Clients

To view all clients in your account:

```bash theme={null}
curl -X GET "https://iam.confidence.dev/v1/clients" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
```

## Get a Specific Client

To retrieve details about a specific client:

```bash theme={null}
curl -X GET "https://iam.confidence.dev/v1/clients/1bhq4c2zqigdzqg6ufni" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
```

## Rotate Client Secrets

For security best practices, periodically rotate client secrets:

1. Create a new credential for the client
2. Update your application to use the new secret
3. Delete the old credential after the migration is complete

To delete a credential:

```bash theme={null}
curl -X DELETE "https://iam.confidence.dev/v1/clients/1bhq4c2zqigdzqg6ufni/credentials/abc123" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
```

## Next Steps

After setting up flag clients:

1. [Create flags](./create-flag) and associate them with clients
2. [Resolve flags](./resolve-flags) using the client secret
3. [Apply flags](./apply-flags) to track usage
