Get started
Authentication
Every request to Forge is authenticated with an API key sent as a Bearer token in the Authorization header.
Header format
httphttp
Authorization: Bearer <FORGE_KEY> Content-Type: application/json
Keys start with ak- followed by a UUID. Treat them like passwords — never commit them, never log them, and rotate immediately if leaked.
Key scopes
- policy —
low,standard, orall. Controls which models the key can call. - quota_type — daily, weekly, monthly, yearly, total, or unlimited.
- allowed_models / denied_models — allow / deny lists by model name or vendor.
- ip_whitelist — optional CIDR list to restrict source IPs.
Rotating a key
From the console, open the key and click Rotate. The old secret stops working immediately; the new secret is shown once and inherits all scopes from the old key.
Never embed a Forge key in client-side code. Proxy requests through your backend, or issue per-user BYOK tokens.