flipt-io · markphelps · Feb 28, 2026 · Feb 27, 2026 · Feb 28, 2026
@@ -196,6 +196,55 @@ authentication:
               some_key: "some_value"
 ```
 
+#### Using Secret References
+
+To avoid storing token values directly in your configuration file, you can use [secret references](/v2/configuration/overview#secret-references) with a configured [secret provider](/v2/configuration/secrets).
+
+Using the [file provider](/v2/configuration/secrets#file-provider):
+
+```yaml config.yaml
+authentication:
+  required: true
+  methods:
+    token:
+      enabled: true
+      storage:
+        tokens:
+          "ci_token":
+            credential: "${secret:file:ci-token}" # References /etc/flipt/secrets/ci-token
+            metadata:
+              name: "CI Pipeline Token"
+          "dev_token":
+            credential: "${secret:file:dev-token}" # References /etc/flipt/secrets/dev-token
+            metadata:
+              name: "Development Token"
+```
+
+Using the [HashiCorp Vault provider](/v2/configuration/secrets#hashicorp-vault-provider):
+
+```yaml config.yaml
+authentication:
+  required: true
+  methods:
+    token:
+      enabled: true
+      storage:
+        tokens:
+          "ci_token":
+            credential: "${secret:vault:flipt/tokens:ci-token}" # References flipt/tokens secret, key: ci-token
+            metadata:
+              name: "CI Pipeline Token"
+          "dev_token":
+            credential: "${secret:vault:flipt/tokens:dev-token}" # References flipt/tokens secret, key: dev-token
+            metadata:
+              name: "Development Token"
+```
+
+<Tip>
+  See [Secrets](/v2/configuration/secrets) for details on configuring secret
+  providers.
+</Tip>
+
 ### OIDC
 
 <Note>The `OIDC` method is a `session compatible` authentication method.</Note>

@@ -166,28 +166,43 @@ Secret references use the format `${secret:provider:key}` where:
 
 ```yaml
 server:
-  cert_file: ${secret:file:tls-cert} # References /etc/flipt/secrets/tls-cert
-  cert_key: ${secret:file:tls-key} # References /etc/flipt/secrets/tls-key
+  cert_file: "${secret:file:tls-cert}" # References /etc/flipt/secrets/tls-cert
+  cert_key: "${secret:file:tls-key}" # References /etc/flipt/secrets/tls-key
 
 authentication:
+  required: true
   session:
     csrf:
-      key: ${secret:file:csrf-key} # References /etc/flipt/secrets/csrf-key
+      key: "${secret:file:csrf-key}" # References /etc/flipt/secrets/csrf-key
+  methods:
+    token:
+      enabled: true
+      storage:
+        tokens:
+          "ci_token":
+            credential: "${secret:file:ci-token}" # References /etc/flipt/secrets/ci-token
 ```
 
 ### Vault Provider Examples
 
 ```yaml
 authentication:
+  required: true
   methods:
     oidc:
       providers:
         google:
-          client_id: ${secret:vault:auth/oidc:client_id}
-          client_secret: ${secret:vault:auth/oidc:client_secret}
+          client_id: "${secret:vault:auth/oidc:client_id}"
+          client_secret: "${secret:vault:auth/oidc:client_secret}"
         github:
-          client_id: ${secret:vault:auth/github:client_id}
-          client_secret: ${secret:vault:auth/github:client_secret}
+          client_id: "${secret:vault:auth/github:client_id}"
+          client_secret: "${secret:vault:auth/github:client_secret}"
+    token:
+      enabled: true
+      storage:
+        tokens:
+          "ci_token":
+            credential: "${secret:vault:flipt/tokens:ci-token}"
 ```
 
 ### Combined with Environment Variables