Stage’s SDK is secured via an API key, which you should store in a tool like Doppler or HashiCorp’s Vault, rather than committing to source control.
Using the API key, your application has the rights to inquire about the access an individual user has to a given feature, and to create an individual user with access to a collection of features (a “plan”), but not to create new features or associate features with plans. We don’t want your engineering team to be responsible for managing those things in code, and we don’t want you to have to worry about the revenue implications of erroneously granting entitlements outside our UI.
Our UI is secured today using username and password authentication which grants a JWT token upon login. This JWT token expires upon logout or after 24 hours.