Get started

Authentication

Every request to Forge is authenticated with an API key sent as a Bearer token in the Authorization header.

Header format

httphttp
Authorization: Bearer <FORGE_KEY>
Content-Type: application/json

Keys start with ak- followed by a UUID. Treat them like passwords — never commit them, never log them, and rotate immediately if leaked.

Key scopes

  • policylow, standard, or all. Controls which models the key can call.
  • quota_type — daily, weekly, monthly, yearly, total, or unlimited.
  • allowed_models / denied_models — allow / deny lists by model name or vendor.
  • ip_whitelist — optional CIDR list to restrict source IPs.

Rotating a key

From the console, open the key and click Rotate. The old secret stops working immediately; the new secret is shown once and inherits all scopes from the old key.

Never embed a Forge key in client-side code. Proxy requests through your backend, or issue per-user BYOK tokens.