Skip to main content

Configuration obfuscation

During SDK initialization, a configuration file is retrieved from Eppo's CDN, which includes information about the feature flag/experiment variations, traffic allocations, and targeting rules. The SDK stores these configurations locally for rapid lookup. However, when the SDK is initialized in certain mobile and browser clients, this configuration may be accessible by users, and so Eppo hashes data in the configuration to obfuscate it. The configuration cannot be hashed entirely without compromising functionality, so the hashed fields in the configuration that can be used without leaking sensitive data are shown below.

"flags": {
"<hashed_flag_key>": {
"rules": [
"conditions": [
"attribute": "<hashed_attribute>",
"operator": "<hashed_operator>",
"value": "<hashed_or_encoded_value>"
"allocationKey": "allocation-123"
"allocations": [ ... ],

Targeting rule values are conditionally hashed

The value field in conditions may or may not be hashed depending on the configured operator for the targeting rule in the allocation.

is one ofhashed
is not one ofhashed
less than (<)encoded
less than or equal (<=)encoded
greater than (>)encoded
greater than or equal (>=)encoded
matches regexencoded

The targeting rule's operator is configured in the UI during allocation setup.

Selecting rule operator

For operator types that do not support hashing, we recommend against entering sensitive data for the value.

Allocation data is not hashed

Information about allocations is not hashed, which includes percent exposure and variation names and values. We therefore also recommend against entering sensitive data when configuring variations.

Supported SDKs

SDKMin versionHashed data
Androidv0.3.0feature flag key
Javascriptv1.3.0feature flag key and targeting rules