API Overview
FORG has two different API surfaces with different authentication models. Keep them separate:
- Customer REST API (public):
https://forg.pro/api/v1using customer API keys. - Agent ingest API (internal): engine ingestion endpoints using per-session HMAC signatures.
1) Customer REST API (public)
This is the documented integration surface for customer applications and automation. It is described by the published OpenAPI spec and authenticated with bearer API keys.
Base URL: https://forg.pro/api/v1
Auth: Authorization: Bearer forg_live_{32hex} | forg_test_{32hex}
Spec: https://forg.pro/api/v1/openapi.jsonMost non-SCIM routes are read-only; certain resources (webhooks, projects, alerts, goals, and API keys) support scoped writes. SCIM provisioning endpoints require a separate org SCIM bearer token.
Generated endpoint index (from OpenAPI)
The table below is generated directly from readOnlySpec() (the same source used by /api/v1/openapi.json), so docs stay aligned with the published spec.
| Method | Path | Summary | Auth |
|---|---|---|---|
GET | /api/v1/alerts | List alerts | API key bearer |
GET | /api/v1/api-keys | List API keys | API key bearer |
GET | /api/v1/audit-log | List audit log entries | API key bearer |
GET | /api/v1/audit-log/stream | Get SIEM stream config | API key bearer |
GET | /api/v1/gateway/keys | List virtual gateway keys | API key bearer |
GET | /api/v1/gateway/requests | List recent gateway requests | API key bearer |
GET | /api/v1/goals | List goals | API key bearer |
GET | /api/v1/goals/{goalId} | Get goal | API key bearer |
GET | /api/v1/license/machines | List licensed machines | API key bearer |
GET | /api/v1/me | Get authenticated user | API key bearer |
GET | /api/v1/me/data | Export personal data (GDPR Art. 20) | API key bearer |
GET | /api/v1/org/{orgId}/analytics | Org analytics | API key bearer |
GET | /api/v1/org/{orgId}/audit | Org audit log | API key bearer |
GET | /api/v1/org/{orgId}/members | List org members | API key bearer |
GET | /api/v1/org/{orgId}/teams | List org teams | API key bearer |
GET | /api/v1/org/{orgId}/usage | Org 30-day usage KPIs | API key bearer |
GET | /api/v1/profile | Get profile | API key bearer |
GET | /api/v1/projects | List projects | API key bearer |
GET | /api/v1/releases/latest | Latest binary release | API key bearer |
GET | /api/v1/scim/Groups | List SCIM groups | SCIM bearer |
POST | /api/v1/scim/Groups | Create SCIM group | SCIM bearer |
DELETE | /api/v1/scim/Groups/{groupId} | Delete SCIM group | SCIM bearer |
GET | /api/v1/scim/Groups/{groupId} | Get SCIM group | SCIM bearer |
PUT | /api/v1/scim/Groups/{groupId} | Replace SCIM group | SCIM bearer |
GET | /api/v1/scim/Users | List SCIM users | SCIM bearer |
POST | /api/v1/scim/Users | Create SCIM user | SCIM bearer |
DELETE | /api/v1/scim/Users/{userId} | Deprovision SCIM user | SCIM bearer |
GET | /api/v1/scim/Users/{userId} | Get SCIM user | SCIM bearer |
PUT | /api/v1/scim/Users/{userId} | Replace SCIM user | SCIM bearer |
GET | /api/v1/sessions | List telemetry sessions | API key bearer |
GET | /api/v1/sessions/{id} | Get session | API key bearer |
GET | /api/v1/sessions/{sessionId}/interventions | List interventions for a session | API key bearer |
GET | /api/v1/team/{teamId} | Get team | API key bearer |
GET | /api/v1/team/{teamId}/analytics | Team analytics | API key bearer |
GET | /api/v1/team/{teamId}/members | List team members | API key bearer |
GET | /api/v1/webhooks | List webhooks | API key bearer |
GET | /api/v1/webhooks/{id} | Get webhook | API key bearer |
2) Agent ingest API (internal, HMAC)
This surface is for FORG agent/runtime telemetry transport, not customer API-key integrations. Requests are signed per session and verified server-side.
Ingress surface: https://engine.forg.pro (and same-host /engine/v1 proxy)
Auth model: HMAC-SHA256 request signature over signed envelope + body hash
Key source: internal session-key exchange (operator/internal only)Signed envelope headers:
| Header | Purpose |
|---|---|
x-forg-device | Device fingerprint hash |
x-forg-session | Session UUID |
x-forg-timestamp | Freshness window validation |
x-forg-nonce | Replay protection |
x-forg-signature | HMAC signature |
Do not send customer API keys to internal ingest endpoints.
OpenAPI spec
Import https://forg.pro/api/v1/openapi.json into Postman, Insomnia, or a client generator.