Authentication

How authentication and API keys work in Forge.

Authentication

All Forge API requests require authentication via an API key. Keys are scoped to your account and can be managed from the dashboard.

API Key Format

Forge API keys follow the format forge_sk_<random>. The sk prefix indicates a secret key that should never be exposed in client-side code.

Using Your Key

Pass your API key in the Authorization header as a Bearer token:

Authorization: Bearer forge_sk_your_key_here

Key Management

  • Create: Dashboard → API Keys → Create Key
  • Rotate: Create a new key, update your applications, then delete the old key
  • Revoke: Delete a key immediately from the dashboard. Revocation takes effect within seconds.
  • Scopes: Keys can be scoped to specific endpoints (e.g., read-only, chat-only, admin)

Dashboard Authentication

The Forge Dashboard uses Clerk for authentication, supporting email/password, Google OAuth, GitHub OAuth, SSO/SAML (Enterprise tier), and SCIM provisioning (Enterprise tier).

Enterprise: SSO & SCIM

Enterprise customers can configure SAML-based Single Sign-On and SCIM user provisioning. Contact the sales team or configure SSO directly from Dashboard → Settings → Authentication.

Security Best Practices

  • Never commit API keys to version control
  • Use environment variables or a secrets manager
  • Rotate keys periodically (every 90 days recommended)
  • Use scoped keys with minimum required permissions
  • Monitor key usage in the dashboard for anomalies
Previous
Installation
Next
Key Concepts
Back to all documentation