Testing with the SDK

Auth and Deployment

On localhost the SDK just works. Against a shared staging instance, whether the flag endpoints are open or protected depends on one setting on the mock server. This page covers that setting and how to wire the secret into your test runs.

How Mocko protects management routes

The mock server's MANAGEMENT_AUTH_MODE setting has three levels:

  • deploy (the default): internal management routes require auth, but flag endpoints stay open. The SDK needs no configuration.
  • all: flag endpoints also require a bearer token. The SDK must be given the secret.
  • none: everything is open. Fine for throwaway local setups.

The default is deliberately test-friendly: flags are the public contract between tests and mocks, so they stay open unless you opt into locking them down. Lock them down when the instance is reachable beyond your team or when flag values could be sensitive.

Passing the secret

Against a core running with MANAGEMENT_AUTH_MODE=all, pass the instance's deploy secret to the client. It is sent as Authorization: Bearer <secret> on flag requests:

export const mocko = new MockoClient('https://mocks.staging.example.com', {
secret: process.env.MOCKO_SECRET,
});

Keep the secret in your test environment's secret store like any other credential; the client reads it from an environment variable so nothing lands in the repo.

Where the secret comes from

  • On self-managed cores, it is whatever you set as DEPLOY_SECRET in the configuration.
  • On Helm installs, the chart generates it. Read it from the release secret:
$kubectl get secret mocko -o jsonpath='{.data.deploy-secret}' | base64 -d
The CLI generates a random secret per run and keeps flag endpoints open (deploy mode), which is why none of this ever comes up in local development.

Behavior details

  • With all mode and a missing or wrong secret, flag calls fail with 401; the SDK surfaces that as a thrown error, so misconfigured CI fails loudly rather than silently testing nothing.
  • The same secret protects the control panel's internal calls, so rotating DEPLOY_SECRET means updating both the control deployment and your test environments.

Next

That completes the SDK section. If you are setting up the instances your tests will point at, head to Running Mocko.