open-feature · tangenti · Nov 3, 2025 · Oct 27, 2025 · Oct 30, 2025
@@ -216,11 +216,6 @@ func Test_SyncsFromFromConfig(t *testing.T) {
 						CertPath:   "/tmp/ca.cert",
 						Selector:   "source=database",
 					},
-					{
-						URI:         "https://host:port",
-						Provider:    syncProviderHTTP,
-						BearerToken: "token",
-					},
 					{
 						URI:        "https://host:port",
 						Provider:   syncProviderHTTP,
@@ -251,7 +246,6 @@ func Test_SyncsFromFromConfig(t *testing.T) {
 			wantSyncs: []sync.ISync{
 				&grpc.Sync{},
 				&http.Sync{},
-				&http.Sync{},
 				&file.Sync{},
 				&kubernetes.Sync{},
 				&blob.Sync{},

@@ -22,11 +22,6 @@ func ParseSources(sourcesFlag string) ([]sync.SourceConfig, error) {
 		if sp.Provider == "" {
 			return syncProvidersParsed, errors.New("sync provider argument parse: provider is a required field")
 		}
-		if sp.AuthHeader != "" && sp.BearerToken != "" {
-			return syncProvidersParsed, errors.New(
-				"sync provider argument parse: both authHeader and bearerToken are defined, only one is allowed at a time",
-			)
-		}
 	}
 	return syncProvidersParsed, nil
 }

@@ -26,7 +26,7 @@ func TestParseSource(t *testing.T) {
 		"multiple-syncs": {
 			in: `[
 					{"uri":"config/samples/example_flags.json","provider":"file"},
-					{"uri":"http://test.com","provider":"http","bearerToken":":)"},
+					{"uri":"http://test.com","provider":"http","authHeader":"Bearer :)"},
 					{"uri":"host:port","provider":"grpc"},
 					{"uri":"default/my-crd","provider":"kubernetes"},
 					{"uri":"gs://bucket-name/path/to/file","provider":"gcs"},
@@ -42,7 +42,7 @@ func TestParseSource(t *testing.T) {
 				{
 					URI:         "http://test.com",
 					Provider:    syncProviderHTTP,
-					BearerToken: ":)",
+					AuthHeader: "Bearer :)",
 				},
 				{
 					URI:      "host:port",
@@ -69,8 +69,6 @@ func TestParseSource(t *testing.T) {
 		"multiple-syncs-with-options": {
 			in: `[
 				{"uri":"config/samples/example_flags.json","provider":"file"},
-				{"uri":"http://my-flag-source.json","provider":"http","bearerToken":"bearer-dji34ld2l"},
-				{"uri":"https://secure-remote","provider":"http","bearerToken":"bearer-dji34ld2l"},
 				{"uri":"https://secure-remote","provider":"http","authHeader":"Bearer bearer-dji34ld2l"},
 				{"uri":"https://secure-remote","provider":"http","authHeader":"Basic dXNlcjpwYXNz"},
 				{"uri":"http://site.com","provider":"http","interval":77 },
@@ -84,16 +82,6 @@ func TestParseSource(t *testing.T) {
 					URI:      "config/samples/example_flags.json",
 					Provider: syncProviderFile,
 				},
-				{
-					URI:         "http://my-flag-source.json",
-					Provider:    syncProviderHTTP,
-					BearerToken: "bearer-dji34ld2l",
-				},
-				{
-					URI:         "https://secure-remote",
-					Provider:    syncProviderHTTP,
-					BearerToken: "bearer-dji34ld2l",
-				},
 				{
 					URI:        "https://secure-remote",
 					Provider:   syncProviderHTTP,
@@ -127,22 +115,6 @@ func TestParseSource(t *testing.T) {
 				},
 			},
 		},
-		"multiple-auth-options": {
-			in: `[
-				{"uri":"https://secure-remote","provider":"http","authHeader":"Bearer bearer-dji34ld2l","bearerToken":"bearer-dji34ld2l"}
-			]`,
-			expectErr: true,
-			out: []sync.SourceConfig{
-				{
-					URI:         "https://secure-remote",
-					Provider:    syncProviderHTTP,
-					AuthHeader:  "Bearer bearer-dji34ld2l",
-					BearerToken: "bearer-dji34ld2l",
-					TLS:         false,
-					Interval:    0,
-				},
-			},
-		},
 		"empty": {
 			in:        `[]`,
 			expectErr: false,

@@ -29,7 +29,6 @@ type Sync struct {
 	cron        Cron
 	lastBodySHA string
 	logger      *logger.Logger
-	bearerToken string
 	authHeader  string
 	interval    uint32
 	ready       bool
@@ -107,9 +106,6 @@ func (hs *Sync) ReSync(ctx context.Context, dataSync chan<- sync.DataSync) error
 }
 
 func (hs *Sync) Init(_ context.Context) error {
-	if hs.bearerToken != "" {
-		hs.logger.Warn("Deprecation Alert: bearerToken option is deprecated, please use authHeader instead")
-	}
 	return nil
 }
 
@@ -176,9 +172,6 @@ func (hs *Sync) fetchBody(ctx context.Context, fetchAll bool) (string, bool, err
 
 	if hs.authHeader != "" {
 		req.Header.Set("Authorization", hs.authHeader)
-	} else if hs.bearerToken != "" {
-		bearer := fmt.Sprintf("Bearer %s", hs.bearerToken)
-		req.Header.Set("Authorization", bearer)
 	}
 
 	if hs.eTag != "" && !fetchAll {
@@ -299,7 +292,6 @@ func NewHTTP(config sync.SourceConfig, logger *logger.Logger) *Sync {
 			zap.String("component", "sync"),
 			zap.String("sync", "http"),
 		),
-		bearerToken:     config.BearerToken,
 		authHeader:      config.AuthHeader,
 		interval:        interval,
 		cron:            cron.New(),

@@ -125,7 +125,6 @@
 	tests := map[string]struct {
 		setup          func(t *testing.T, client *syncmock.MockClient)
 		uri            string
-		bearerToken    string
 		authHeader     string
 		eTagHeader     string
 		lastBodySHA    string
@@ -181,37 +180,6 @@
 				}
 			},
 		},
-		"authorization with bearerToken": {
-			setup: func(t *testing.T, client *syncmock.MockClient) {
-				expectedToken := "bearer-1234"
-				client.EXPECT().Do(gomock.Any()).DoAndReturn(func(req *http.Request) (*http.Response, error) {
-					actualAuthHeader := req.Header.Get("Authorization")
-					if actualAuthHeader != "Bearer "+expectedToken {
-						t.Fatalf("expected Authorization header to be 'Bearer %s', got %s", expectedToken, actualAuthHeader)
-					}
-					return &http.Response{
-						Header:     buildHeaders(map[string][]string{"Content-Type": {"application/json"}}),
-						Body:       io.NopCloser(strings.NewReader("test response")),
-						StatusCode: http.StatusOK,
-					}, nil
-				})
-			},
-			uri:         "http://localhost",
-			bearerToken: "bearer-1234",
-			lastBodySHA: "",
-			handleResponse: func(t *testing.T, httpSync Sync, _ string, err error) {
-				if err != nil {
-					t.Fatalf("fetch: %v", err)
-				}
-
-				expectedLastBodySHA := "UjeJHtCU_wb7OHK-tbPoHycw0TqlHzkWJmH4y6cqg50="
-				if httpSync.lastBodySHA != expectedLastBodySHA {
-					t.Errorf(
-						"expected last body sha to be: '%s', got: '%s'", expectedLastBodySHA, httpSync.lastBodySHA,
-					)
-				}
-			},
-		},
 		"authorization with authHeader": {
 			setup: func(t *testing.T, client *syncmock.MockClient) {
 				expectedHeader := "Basic dXNlcjpwYXNz"
@@ -348,7 +316,6 @@
 			httpSync := Sync{
 				uri:         tt.uri,
 				client:      mockClient,
-				bearerToken: tt.bearerToken,
 				authHeader:  tt.authHeader,
 				lastBodySHA: tt.lastBodySHA,
 				logger:      logger.NewLogger(nil, false),
@@ -361,30 +328,6 @@
 	}
 }
 
-func TestSync_Init(t *testing.T) {
-	tests := []struct {
-		name        string
-		bearerToken string
-	}{
-		{"with bearerToken", "bearer-1234"},
-		{"without bearerToken", ""},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			httpSync := Sync{
-				bearerToken: tt.bearerToken,
-				logger:      logger.NewLogger(nil, false),
-			}
-
-			if err := httpSync.Init(context.Background()); err != nil {
-				t.Errorf("Init() error = %v", err)
-			}
-		})
-	}
-
-}
-
 func TestHTTPSync_Resync(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	source := "http://localhost"
@@ -393,7 +336,6 @@
 	tests := map[string]struct {
 		setup             func(t *testing.T, client *syncmock.MockClient)
 		uri               string
-		bearerToken       string
 		lastBodySHA       string
 		handleResponse    func(*testing.T, Sync, string, error)
 		wantErr           bool
@@ -448,7 +390,6 @@
 			httpSync := Sync{
 				uri:         tt.uri,
 				client:      mockClient,
-				bearerToken: tt.bearerToken,
 				lastBodySHA: tt.lastBodySHA,
 				logger:      logger.NewLogger(nil, false),
 			}
@@ -617,7 +558,7 @@
 			l := logger.NewLogger(nil, false)
 			s := NewHTTP(sync.SourceConfig{
 				URI:         ts.URL,
-				BearerToken: "it_should_be_replaced_by_oauth",
+				AuthHeader: "Bearer it_should_be_replaced_by_oauth",
 				OAuth: &sync.OAuthCredentialHandler{
 					ClientID:     clientID,
 					ClientSecret: clientSecret,
@@ -679,7 +620,7 @@
 			return
 		} else if strings.HasSuffix(r.URL.Path, flagsPath) {
 			// mock flags response
 			io.ReadAll(r.Body)

 			w.WriteHeader(http.StatusOK)
 			w.Header().Set("Content-Type", "application/json")
@@ -710,7 +651,7 @@
 	l := logger.NewLogger(nil, false)
 	s := NewHTTP(sync.SourceConfig{
 		URI:         ts.URL + flagsPath,
-		BearerToken: "it_should_be_replaced_by_oauth",
+		AuthHeader: "Bearer it_should_be_replaced_by_oauth",
 		OAuth: &sync.OAuthCredentialHandler{
 			ClientID:     clientID,
 			ClientSecret: clientSecret,

@@ -39,7 +39,6 @@ type SourceConfig struct {
 	URI      string `json:"uri"`
 	Provider string `json:"provider"`
 
-	BearerToken string `json:"bearerToken,omitempty"`
 	AuthHeader  string `json:"authHeader,omitempty"`
 	CertPath    string `json:"certPath,omitempty"`
 	TLS         bool   `json:"tls,omitempty"`

@@ -47,18 +47,17 @@ The flagd accepts a string argument, which should be a JSON representation of an
 
 Alternatively, these configurations can be passed to flagd via config file, specified using the `--config` flag.
 
-| Field       | Type               | Note                                                                                                                                                                                                             |
-| ----------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| uri         | required `string`  | Flag configuration source of the sync                                                                                                                                                                            |
-| provider    | required `string`  | Provider type - `file`, `fsnotify`, `fileinfo`, `kubernetes`, `http`, `grpc`, `gcs` or `azblob`                                                                                                                  |
-| authHeader  | optional `string`  | Used for http sync; set this to include the complete `Authorization` header value for any authentication scheme (e.g., "Bearer token_here", "Basic base64_credentials", etc.). Cannot be used with `bearerToken` |
-| bearerToken | optional `string`  | (Deprecated) Used for http sync; token gets appended to `Authorization` header with [bearer schema](https://www.rfc-editor.org/rfc/rfc6750#section-2.1). Cannot be used with `authHeader`                        |
-| interval    | optional `uint32`  | Used for http, gcs and azblob syncs; requests will be made at this interval. Defaults to 5 seconds.                                                                                                              |
-| tls         | optional `boolean` | Enable/Disable secure TLS connectivity. Currently used only by gRPC sync. Default (ex: if unset) is false, which will use an insecure connection                                                                 |
-| providerID  | optional `string`  | Value binds to grpc connection's providerID field. gRPC server implementations may use this to identify connecting flagd instance                                                                                |
-| selector    | optional `string`  | Value binds to grpc connection's selector field. gRPC server implementations may use this to filter flag configurations                                                                                          |
-| certPath    | optional `string`  | Used for grpcs sync when TLS certificate is needed. If not provided, system certificates will be used for TLS connection                                                                                         |
-| maxMsgSize  | optional `int`     | Used for gRPC sync to set max receive message size (in bytes) e.g. 5242880 for 5MB. If not provided, the default is [4MB](https://pkg.go.dev/google.golang.org#grpc#MaxCallRecvMsgSize)                          |
+| Field       | Type               | Note                                                                                                                                                                                    |
+| ----------- | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| uri         | required `string`  | Flag configuration source of the sync                                                                                                                                                   |
+| provider    | required `string`  | Provider type - `file`, `fsnotify`, `fileinfo`, `kubernetes`, `http`, `grpc`, `gcs` or `azblob`                                                                                         |
+| authHeader  | optional `string`  | Used for http sync; set this to include the complete `Authorization` header value for any authentication scheme (e.g., "Bearer token_here", "Basic base64_credentials", etc.).          |
+| interval    | optional `uint32`  | Used for http, gcs and azblob syncs; requests will be made at this interval. Defaults to 5 seconds.                                                                                     |
+| tls         | optional `boolean` | Enable/Disable secure TLS connectivity. Currently used only by gRPC sync. Default (ex: if unset) is false, which will use an insecure connection                                        |
+| providerID  | optional `string`  | Value binds to grpc connection's providerID field. gRPC server implementations may use this to identify connecting flagd instance                                                       |
+| selector    | optional `string`  | Value binds to grpc connection's selector field. gRPC server implementations may use this to filter flag configurations                                                                 |
+| certPath    | optional `string`  | Used for grpcs sync when TLS certificate is needed. If not provided, system certificates will be used for TLS connection                                                                |
+| maxMsgSize  | optional `int`     | Used for gRPC sync to set max receive message size (in bytes) e.g. 5242880 for 5MB. If not provided, the default is [4MB](https://pkg.go.dev/google.golang.org#grpc#MaxCallRecvMsgSize) |
 
 The `uri` field values **do not** follow the [URI patterns](#uri-patterns). The provider type is instead derived
 from the `provider` field. Only exception is the remote provider where `http(s)://` is expected by default. Incorrect
@@ -94,7 +93,7 @@ Startup command:
 --sources='[{"uri":"config/samples/example_flags.json","provider":"file"},
             {"uri":"config/samples/example_flags.json","provider":"fsnotify"},
             {"uri":"config/samples/example_flags.json","provider":"fileinfo"},
-            {"uri":"http://my-flag-source/flags.json","provider":"http","bearerToken":"bearer-dji34ld2l"},
+            {"uri":"http://my-flag-source/flags.json","provider":"http","authHeader":"Bearer bearer-dji34ld2l"},
             {"uri":"https://secure-remote/bearer-auth/flags.json","provider":"http","authHeader":"Bearer bearer-dji34ld2l"},
             {"uri":"https://secure-remote/basic-auth/flags.json","provider":"http","authHeader":"Basic dXNlcjpwYXNz"},
             {"uri":"default/my-flag-config","provider":"kubernetes"},
@@ -118,7 +117,7 @@ sources:
     provider: fileinfo
   - uri: http://my-flag-source/flags.json
     provider: http
-    bearerToken: bearer-dji34ld2l
+    authHeader: "Bearer bearer-dji34ld2l"
   - uri: default/my-flag-config
     provider: kubernetes
   - uri: my-flag-source:8080