Skip to content

Decide API

/decide evaluates every feature flag of a project for one distinct id, and returns the project’s session-recording config. It’s what the SDK calls at init and after identify()/reset(); you can call it directly from anywhere that can’t use the SDK.

POST https://ingest.kilden.io/decide
Content-Type: application/json

Same host as capture — SDKs need a single apiHost for events and flags.

{
"write_key": "YOUR_PUBLIC_WRITE_KEY",
"distinct_id": "user_4821",
"person_properties": { "plan": "enterprise" }
}
Field Required Notes
write_key yes Public keys only. A secret key is rejected with 403 — it must never leave your backend, and /decide never needs it
distinct_id yes The id to evaluate for — the same one your events carry
person_properties no Overrides the person’s stored traits for this evaluation only. Nothing is ever written; the event pipeline remains the only way to mutate persons

Body limit: 64 KiB. Cohort-based targeting is resolved server-side from precomputed cohort membership — there’s nothing to send.

{
"flags": {
"new-checkout": true,
"pricing-test": "variant-b",
"sunset-legacy-ui": false
},
"sessionRecording": { "enabled": true, "sampleRate": 0.1 }
}
  • flagsevery flag in the project, evaluated for distinct_id. Values: true, false, or a variant key string for multivariate flags. Inactive flags come back as false, so a consumer can distinguish “off” from “unknown flag”.
  • sessionRecording — the project’s session replay remote config: the kill switch and sample rate the SDK obeys. {"enabled": false, "sampleRate": 0} when recording is off.

Evaluation is deterministic: the same flag key and distinct id always produce the same value, across requests, replicas and deploys. See deterministic bucketing.

Errors are plain text, not JSON:

Status Meaning
400 invalid JSON body: … (including bodies over 64 KiB) or write_key and distinct_id are required
401 unknown write_key
403 secret keys must never leave your backend; call /decide with the project's public write key — or origin not allowed (same allowed-origins check as capture)
405 Method other than POST/OPTIONS
Terminal window
curl -X POST https://ingest.kilden.io/decide \
-H 'Content-Type: application/json' \
-d '{"write_key": "pk_your_public_key", "distinct_id": "user_4821"}'

Identical to capture: Access-Control-Allow-Origin: * on every response; preflight OPTIONS204 with Access-Control-Allow-Methods: POST and Access-Control-Max-Age: 86400.

Flag config changes are visible within ~10 seconds; person traits and cohort membership are cached for ~30 seconds in the evaluation path; cohort membership itself is materialized about every 10 minutes. If you need a property override to apply immediately, pass it in person_properties.