Skip to content

LaunchDarkly SDK Key

Service Name: LaunchDarkly

Service Description: LaunchDarkly is a feature management platform that enables development teams to safely deliver and control software through feature flags. It allows teams to control feature rollouts, test in production, manage user experiences, and toggle features without deploying new code.

Service Address: https://launchdarkly.com/

Validation Type: API Auth

IP Allow list: Does not exist at the secret level, but LaunchDarkly offers IP allowlisting at the account level for API access.

Secret Access Scope: SDK keys grant read-only access to feature flags in a specific environment. They are used by server-side SDKs to connect to LaunchDarkly and fetch feature flag configurations.

Secret Revokement URL: https://app.launchdarkly.com/settings/authorization

Secret Example: sdk-a2b3c4d5e6f7g8h9j0k1l2m3n4o5p6q7

Suspicious Activity Investigation Instructions:

  • Review the LaunchDarkly audit logs for unusual access patterns or flag changes
  • Check for unexpected feature flag evaluations or configuration changes
  • Monitor for unusual traffic volumes or patterns from SDK clients
  • Verify if the SDK key is being used from unexpected geographic locations
  • Review LaunchDarkly dashboard for any unauthorized environment access

Mitigation Instructions:

  • Log in to your LaunchDarkly account and navigate to Account settings

  • Go to the Authorization tab

  • Locate the compromised SDK key in the list
  • Click the "Reset" button next to the key to invalidate it and generate a new one
  • Update the SDK key in all legitimate applications using the key
  • Consider implementing more granular environments to limit the scope of future

key compromises

  • Review and update access controls for your LaunchDarkly account
  • Enable multi-factor authentication for all LaunchDarkly users if not already

enabled