feat(flags): Always pass project API key in remote config requests

Updates `remote_config` to always make POST requests with the project API key in the request body for deterministic project selection and validation.

- Modified remote_config() to use POST instead of GET
- Always include `project_api_key` parameter in request body
- Ensures deterministic routing for personal API keys
- Validates secret API keys match expected project
- Updated tests to reflect new behavior

This aligns with backend changes in PostHog/posthog#36154

Author: haacked

posthog/client.py

@@ -4,20 +4,26 @@
 import sys
 from datetime import datetime, timedelta
 from typing import Any, Dict, Optional, Union
-from typing_extensions import Unpack
 from uuid import uuid4
 
 from dateutil.tz import tzutc
 from six import string_types
+from typing_extensions import Unpack
 
-from posthog.args import OptionalCaptureArgs, OptionalSetArgs, ID_TYPES, ExceptionArg
+from posthog.args import ID_TYPES, ExceptionArg, OptionalCaptureArgs, OptionalSetArgs
 from posthog.consumer import Consumer
+from posthog.contexts import (
+    _get_current_context,
+    get_context_distinct_id,
+    get_context_session_id,
+    new_context,
+)
 from posthog.exception_capture import ExceptionCapture
 from posthog.exception_utils import (
     exc_info_from_error,
+    exception_is_already_captured,
     exceptions_from_error_tuple,
     handle_in_app,
-    exception_is_already_captured,
     mark_exception_as_captured,
 )
 from posthog.feature_flags import InconclusiveMatchError, match_feature_flag_properties
@@ -31,12 +37,6 @@
     get,
     remote_config,
 )
-from posthog.contexts import (
-    _get_current_context,
-    get_context_distinct_id,
-    get_context_session_id,
-    new_context,
-)
 from posthog.types import (
     FeatureFlag,
     FeatureFlagResult,
@@ -1629,6 +1629,7 @@ def get_remote_config_payload(self, key: str):
                 self.personal_api_key,
                 self.host,
                 key,
+                project_api_key=self.api_key,
                 timeout=self.feature_flags_request_timeout_seconds,
             )
         except Exception as e:
@@ -1845,9 +1846,9 @@ def _initialize_flag_cache(self, cache_url):
             return None
 
         try:
-            from urllib.parse import urlparse, parse_qs
+            from urllib.parse import parse_qs, urlparse
         except ImportError:
-            from urlparse import urlparse, parse_qs
+            from urlparse import parse_qs, urlparse
 
         try:
             parsed = urlparse(cache_url)

posthog/request.py

@@ -132,14 +132,33 @@ def flags(
 
 
 def remote_config(
-    personal_api_key: str, host: Optional[str] = None, key: str = "", timeout: int = 15
+    personal_api_key: str,
+    host: Optional[str] = None,
+    key: str = "",
+    project_api_key: str = "",
+    timeout: int = 15,
 ) -> Any:
     """Get remote config flag value from remote_config API endpoint"""
-    return get(
-        personal_api_key,
-        f"/api/projects/@current/feature_flags/{key}/remote_config/",
-        host,
-        timeout,
+    url = (
+        remove_trailing_slash(host or DEFAULT_HOST)
+        + f"/api/projects/@current/feature_flags/{key}/remote_config/"
+    )
+
+    body = {"project_api_key": project_api_key, "sentAt": datetime.now(tz=tzutc()).isoformat()}
+
+    headers = {
+        "Authorization": f"Bearer {personal_api_key}",
+        "Content-Type": "application/json",
+        "User-Agent": USER_AGENT,
+    }
+
+    data = json.dumps(body, cls=DatetimeSerializer)
+
+    res = _session.post(url, data=data, headers=headers, timeout=timeout)
+
+    return _process_response(
+        res,
+        success_message=f"POST /api/projects/@current/feature_flags/{key}/remote_config/ completed successfully",
     )
 
 

posthog/test/test_client.py

@@ -2,13 +2,13 @@
 import unittest
 from datetime import datetime
 from uuid import uuid4
-from posthog.contexts import get_context_session_id, set_context_session, new_context
 
 import mock
 import six
 from parameterized import parameterized
 
 from posthog.client import Client
+from posthog.contexts import get_context_session_id, new_context, set_context_session
 from posthog.request import APIError
 from posthog.test.test_utils import FAKE_TEST_API_KEY
 from posthog.types import FeatureFlag, LegacyFlagMetadata
@@ -2057,7 +2057,7 @@ def test_set_context_session_with_page_explicit_properties(self):
 
     def test_set_context_session_override_in_capture(self):
         """Test that explicit session ID overrides context session ID in capture"""
-        from posthog.contexts import set_context_session, new_context
+        from posthog.contexts import new_context, set_context_session
 
         with mock.patch("posthog.client.batch_post") as mock_post:
             client = Client(FAKE_TEST_API_KEY, on_error=self.set_fail, sync_mode=True)
@@ -2160,6 +2160,7 @@ def test_get_remote_config_payload_works_without_poller(self, patch_remote_confi
             "test-personal-key",
             client.host,
             "test-flag",
+            project_api_key=FAKE_TEST_API_KEY,
             timeout=client.feature_flags_request_timeout_seconds,
         )
 
@@ -2282,9 +2283,7 @@ def test_get_feature_flag_result_with_empty_string_payload(self, patch_batch_pos
                             }
                         ]
                     },
-                    "payloads": {
-                        "empty-variant": ""  # Empty string payload
-                    },
+                    "payloads": {"empty-variant": ""},  # Empty string payload
                 },
             }
         ]