How a one-character configuration mistake turns feature flags into a competitive intelligence feed The Twitch iOS application initializes the Eppo feature flagging SDK (now a Datadog product) using server-side SDK Keys instead of Client Tokens. This means every flag configuration is returned to the device in plaintext: flag names, variation values, allocation percentages, targeting rules, A/B test structures, and experiment status. Two distinct SDK keys were observed in network traffic from the Twitch iOS app. Together they return over 260 production feature flags across Twitch's Production environment. Across a two-week observation window, 12 Twitch iOS users generated 208 flag configuration requests, confirming that these configurations are fetched automatically, repeatedly, and at scale by the app's normal operation. The result is not a list of boolean toggles. It is a real-time, continuously updated window into Twitch's product strategy. What leaked Before the technical details, here is what these unobfuscated flags reveal. None of this has been publicly disclosed by Twitch or Amazon: Twitch is testing viewer-triggered ad breaks ( pause-ads-trigger ), a 50/50 A/B test launched February 26, 2026. If viewers choose when to watch ads instead of being interrupted, it rewrites Twitch's entire relationship with its audience. Amazon product listings are live inside Twitch streams for e.l.f. Cosmetics, Dove, Razer, Revlon, L'Oréal, NYX, Meta Quest, Bazooka, and others, with ASINs, campaign IDs, and per-brand measurement holdouts baked into the flag configuration. Turbo has a dedicated growth engineering team. Nine sequential placement tests, a nested experiment pitting "signup upsell" against "acquisition," a 30% targeted discount, and a custom chat color upsell. The ad-free tier is no longer an afterthought. A friendly fraud ML model is deployed to 90% of users , 2FA is being skipped for 99.98% of new creators, and the complete community gift sub pricing curve (discount tiers, quantity breakpoints, margin ratios) is readable in the JSON payload. An "Elevate Prime 2026" experiment with seven variants is fully configured but not yet launched. Five strategies to convert free viewers into Prime subscribers. A Twitch Rivals roster for a February 2026 event is hardcoded: tydollasign, funnymike, Im_Dontai, and 15 other handles. All of this from two misconfigured SDK keys. The misconfiguration Eppo provides two types of credentials for SDK initialization: SDK Keys and Client Tokens . They are functionally identical with one critical difference: when a Client Token is used, the configuration payload is obfuscated. Flag names are hashed, variation values are encoded, and targeting rules are not human-readable. Eppo's own documentation is explicit: SDK keys and Client Tokens are the same functionality keys, except config always is obfuscated when Client Tokens are used. Therefore, the main application of the Client Tokens is SDK clients requesting configurations for clients such as browsers or mobile applications . Meanwhile, the primary application of the SDK keys is on server side . And from the SDK introduction: For client SDKs, this configuration is obfuscated to ensure that end users cannot reverse engineer what flags are active, or what targeting logic is in place. Twitch's iOS application uses server-side keys. Two distinct keys were observed in network traffic: Key 1: 3mv-BKCSZJDyZr... Key 2: jfJjDAgpy-B7j5... Key 1 returns 146 flags spanning web, mobile, and cross-platform features. Key 2 returns 132 flags, predominantly iOS-specific. Nine flags appear in both. Both return "format":"SERVER" in the response header, the explicit marker that the payload is unobfuscated: { "createdAt": "2026-02-27T08:45:24.609Z", "format": "SERVER", "environment": { "name": "Production" }, "flags": { ... } } Had Client Tokens been used, this field would read "format":"CLIENT" and every flag key, variation, and rule would be hashed. Instead, the entire configuration (flag names, experiment structures, targeting conditions, JSON payloads with ASINs and pricing tables) is returned as human-readable JSON. The endpoint is hosted on Twitch's CDN ( assets.twitch.tv ), requires no authentication beyond the key itself, and is not rate-limited: GET /eppo/api/flag-config/v1/config ?sdkName=ios-debug &sdkVersion=4.0.1 &apiKey=[KEY] Host: assets.twitch.tv Once a key is observed in network traffic, it can be used to poll from any HTTP client indefinitely. Changes Twitch makes to their flag configuration are reflected within minutes. What feature flags encode In a mature experimentation platform like Eppo, each flag carries a flag name , a human-readable string like is_user_in_friendly_fraud_group or Elevate-Prime-2026 . Variation values : the possible states, revealing whether something is a simple rollout or a multi-arm experiment. Allocation rules : who sees what at what percentage, distinguishing active A/B tests (50/50 with logging) from grad...