From f2a0b9bd57d663f0a4665ef6a1cbc852a6c72ddd Mon Sep 17 00:00:00 2001
From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com>
Date: Fri, 27 Feb 2026 22:37:51 +0000
Subject: [PATCH 1/2] docs: add secret references examples for static token
 authentication

Update static token authentication docs to show how to use secret
references to avoid hardcoding token values in configuration files.
Includes examples for both file and HashiCorp Vault providers with
cross-references to the secrets documentation.

Also adds static token examples to the secrets.mdx usage section
to demonstrate the feature alongside other authentication methods.

Closes #349

Co-authored-by: Mark Phelps <markphelps@users.noreply.github.com>
---
 docs/v2/configuration/authentication.mdx | 45 ++++++++++++++++++++++++
 docs/v2/configuration/secrets.mdx        | 13 +++++++
 2 files changed, 58 insertions(+)

diff --git a/docs/v2/configuration/authentication.mdx b/docs/v2/configuration/authentication.mdx
index d0bc548..3c62629 100644
--- a/docs/v2/configuration/authentication.mdx
+++ b/docs/v2/configuration/authentication.mdx
@@ -196,6 +196,51 @@ authentication:
               some_key: "some_value"
 ```
 
+#### Using Secret References
+
+To avoid storing token values directly in your configuration file, you can use [secret references](/v2/configuration/overview#secret-references) with a configured [secret provider](/v2/configuration/secrets).
+
+Using the [file provider](/v2/configuration/secrets#file-provider):
+
+```yaml config.yaml
+authentication:
+  required: true
+  methods:
+    token:
+      enabled: true
+      storage:
+        tokens:
+          "ci_token":
+            credential: "${secret:file:ci-token}"
+            metadata:
+              name: "CI Pipeline Token"
+          "dev_token":
+            credential: "${secret:file:dev-token}"
+            metadata:
+              name: "Development Token"
+```
+
+Using the [HashiCorp Vault provider](/v2/configuration/secrets#hashicorp-vault-provider):
+
+```yaml config.yaml
+authentication:
+  required: true
+  methods:
+    token:
+      enabled: true
+      storage:
+        tokens:
+          "ci_token":
+            credential: "${secret:vault:flipt/tokens:ci-token}"
+            metadata:
+              name: "CI Pipeline Token"
+```
+
+<Tip>
+  See [Secrets](/v2/configuration/secrets) for details on configuring secret
+  providers.
+</Tip>
+
 ### OIDC
 
 <Note>The `OIDC` method is a `session compatible` authentication method.</Note>
diff --git a/docs/v2/configuration/secrets.mdx b/docs/v2/configuration/secrets.mdx
index 5c4f215..716f622 100644
--- a/docs/v2/configuration/secrets.mdx
+++ b/docs/v2/configuration/secrets.mdx
@@ -173,6 +173,13 @@ authentication:
   session:
     csrf:
       key: ${secret:file:csrf-key} # References /etc/flipt/secrets/csrf-key
+  methods:
+    token:
+      enabled: true
+      storage:
+        tokens:
+          "ci_token":
+            credential: ${secret:file:ci-token} # References /etc/flipt/secrets/ci-token
 ```
 
 ### Vault Provider Examples
@@ -188,6 +195,12 @@ authentication:
         github:
           client_id: ${secret:vault:auth/github:client_id}
           client_secret: ${secret:vault:auth/github:client_secret}
+    token:
+      enabled: true
+      storage:
+        tokens:
+          "ci_token":
+            credential: ${secret:vault:flipt/tokens:ci-token}
 ```
 
 ### Combined with Environment Variables

From 7a69f98fd389bdc65fa645ab24bfb8a612028e68 Mon Sep 17 00:00:00 2001
From: Mark Phelps <209477+markphelps@users.noreply.github.com>
Date: Fri, 27 Feb 2026 20:25:09 -0500
Subject: [PATCH 2/2] docs: address review feedback on secret references
 examples

- Add inline comments to authentication.mdx secret reference examples
- Add second token to Vault example for symmetry with file example
- Quote secret references in secrets.mdx for consistency
- Add required: true to secrets.mdx provider examples

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 docs/v2/configuration/authentication.mdx | 10 +++++++---
 docs/v2/configuration/secrets.mdx        | 20 +++++++++++---------
 2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/docs/v2/configuration/authentication.mdx b/docs/v2/configuration/authentication.mdx
index 3c62629..42b5d54 100644
--- a/docs/v2/configuration/authentication.mdx
+++ b/docs/v2/configuration/authentication.mdx
@@ -211,11 +211,11 @@ authentication:
       storage:
         tokens:
           "ci_token":
-            credential: "${secret:file:ci-token}"
+            credential: "${secret:file:ci-token}" # References /etc/flipt/secrets/ci-token
             metadata:
               name: "CI Pipeline Token"
           "dev_token":
-            credential: "${secret:file:dev-token}"
+            credential: "${secret:file:dev-token}" # References /etc/flipt/secrets/dev-token
             metadata:
               name: "Development Token"
 ```
@@ -231,9 +231,13 @@ authentication:
       storage:
         tokens:
           "ci_token":
-            credential: "${secret:vault:flipt/tokens:ci-token}"
+            credential: "${secret:vault:flipt/tokens:ci-token}" # References flipt/tokens secret, key: ci-token
             metadata:
               name: "CI Pipeline Token"
+          "dev_token":
+            credential: "${secret:vault:flipt/tokens:dev-token}" # References flipt/tokens secret, key: dev-token
+            metadata:
+              name: "Development Token"
 ```
 
 <Tip>
diff --git a/docs/v2/configuration/secrets.mdx b/docs/v2/configuration/secrets.mdx
index 716f622..f66910b 100644
--- a/docs/v2/configuration/secrets.mdx
+++ b/docs/v2/configuration/secrets.mdx
@@ -166,41 +166,43 @@ Secret references use the format `${secret:provider:key}` where:
 
 ```yaml
 server:
-  cert_file: ${secret:file:tls-cert} # References /etc/flipt/secrets/tls-cert
-  cert_key: ${secret:file:tls-key} # References /etc/flipt/secrets/tls-key
+  cert_file: "${secret:file:tls-cert}" # References /etc/flipt/secrets/tls-cert
+  cert_key: "${secret:file:tls-key}" # References /etc/flipt/secrets/tls-key
 
 authentication:
+  required: true
   session:
     csrf:
-      key: ${secret:file:csrf-key} # References /etc/flipt/secrets/csrf-key
+      key: "${secret:file:csrf-key}" # References /etc/flipt/secrets/csrf-key
   methods:
     token:
       enabled: true
       storage:
         tokens:
           "ci_token":
-            credential: ${secret:file:ci-token} # References /etc/flipt/secrets/ci-token
+            credential: "${secret:file:ci-token}" # References /etc/flipt/secrets/ci-token
 ```
 
 ### Vault Provider Examples
 
 ```yaml
 authentication:
+  required: true
   methods:
     oidc:
       providers:
         google:
-          client_id: ${secret:vault:auth/oidc:client_id}
-          client_secret: ${secret:vault:auth/oidc:client_secret}
+          client_id: "${secret:vault:auth/oidc:client_id}"
+          client_secret: "${secret:vault:auth/oidc:client_secret}"
         github:
-          client_id: ${secret:vault:auth/github:client_id}
-          client_secret: ${secret:vault:auth/github:client_secret}
+          client_id: "${secret:vault:auth/github:client_id}"
+          client_secret: "${secret:vault:auth/github:client_secret}"
     token:
       enabled: true
       storage:
         tokens:
           "ci_token":
-            credential: ${secret:vault:flipt/tokens:ci-token}
+            credential: "${secret:vault:flipt/tokens:ci-token}"
 ```
 
 ### Combined with Environment Variables