Skip to content

Commit 3aa5d08

Browse files
committed
fix: Add security note to LDAIConfigTracker.getResumptionToken()
1 parent 5381bf4 commit 3aa5d08

1 file changed

Lines changed: 4 additions & 0 deletions

File tree

lib/sdk/server-ai/src/main/java/com/launchdarkly/sdk/server/ai/LDAIConfigTracker.java

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,10 @@ public interface LDAIConfigTracker {
4141
* The resumption token encodes the run's identity and can be passed to
4242
* {@link LDAIClient#createTracker(String, com.launchdarkly.sdk.LDContext)} to reconstruct a
4343
* tracker on a subsequent request (for example, in a streaming scenario).
44+
* <p>
45+
* <strong>Security note:</strong> resumption tokens embed flag-evaluation details such as the
46+
* variation key and config version. Keep tokens server-side and do not round-trip them through
47+
* untrusted clients where they could leak flag-targeting information.
4448
*
4549
* @return the resumption token, or {@code null} if not available
4650
*/

0 commit comments

Comments
 (0)