Knogin
[Developers]

Feature Flags Domain

A public safety platform serves a diverse range of customers: a national police service that needs the full intelligence and investigation suite, a utility operator that needs only the dispatch and inventory modules, and

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsblockchain

Overview#

A public safety platform serves a diverse range of customers: a national police service that needs the full intelligence and investigation suite, a utility operator that needs only the dispatch and inventory modules, and a trial customer evaluating blockchain monitoring capabilities. Rather than deploying separate codebases for each, the Feature Flags domain controls which capabilities each tenant sees at runtime. The utility operator never encounters the intelligence modules. The trial customer gets blockchain features enabled for sixty days without any code change on the platform side.

Feature flag management also makes incremental rollout practical. A new investigation workflow can be enabled for a single pilot agency, tested in production conditions, and rolled out broadly once validated, all without redeployment.

Key Features#

  • Flag resolution based on authenticated user context and organisation
  • Role-based access levels: superusers receive all features, tenant admins receive tenant-specific sets, guests receive a minimal baseline
  • Default fallback feature set for baseline functionality when no tenant-specific configuration exists
  • Per-user and per-tenant overrides for fine-grained control
  • Domain categorisation: core, analytics, blockchain, aviation, PSAP, intel, and DOC feature families
  • Gradual rollout support with controlled deployment to select organisations
  • Runtime dynamic enabling without redeployment

Use Cases#

  • Controlling feature access per tenant to support tiered service offerings and contract-defined capability packages
  • Gradually rolling out new platform capabilities to select organisations before broad availability
  • Enabling specialist domain features such as blockchain, aviation, or PSAP modules for specific tenants with operational requirements for them
  • Providing superuser access to the complete feature set for platform administration and support workflows

Industry Context#

Government platform vendors serving multiple agencies use feature flags to manage capability tiers across contracts: a district court system may have evidence management but not intelligence analytics, while a national agency has full access. Defence platform operators use flags to enable classified capability modules only for cleared tenant organisations. Utility management platforms serving both electric and water operators enable sector-specific alarm classification rules only where relevant.

Integration#

The Feature Flags domain integrates with Tenant for organisation configuration, Organisation for settings management, User for identity context, and Admin for administration. Flag resolution runs on every authenticated request and is cached per session to minimise database round trips.

Open Standards#

  • GraphQL (June 2018 specification): Flag resolution is exposed as a getFeatureFlags GraphQL query via a Strawberry schema, enabling typed, introspectable access to feature state from any compliant client.
  • JSON Web Tokens / JWT (RFC 7519) with RS256: Every call to resolve feature flags is gated by JWT verification using RS256 signatures validated against a JWKS endpoint; the platform mandates RS256 and rejects any other algorithm.
  • OAuth 2.0 (RFC 6749) and OpenID Connect (OIDC): The JWKS-backed bearer token validation follows OAuth 2.0 token conventions and OIDC discovery; the AUTH_JWKS_URL configuration aligns directly with OIDC provider metadata.
  • JSON (RFC 8259): Feature flag state is stored, propagated through the two-tier cache (in-process and Cloudflare Durable Objects), and returned to clients as JSON boolean maps.
  • Role-Based Access Control (NIST RBAC model, ANSI/INCITS 359-2004): The three-tier hierarchy of superuser, SI admin, tenant admin, standard user, and guest maps directly to the NIST RBAC core model; role evaluation is delegated to a dedicated rbac_service.
  • HTTP/1.1 and REST (RFC 7231): Internal flag-synchronisation between middleware and the auth service uses REST-style HTTP calls following standard HTTP semantics for resource retrieval and status codes.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.