Skip to main content
API Reference

API Overview

FORG has two different API surfaces with different authentication models. Keep them separate:

  • Customer REST API (public): https://forg.pro/api/v1 using customer API keys.
  • Agent ingest API (internal): engine ingestion endpoints using per-session HMAC signatures.

1) Customer REST API (public)

This is the documented integration surface for customer applications and automation. It is described by the published OpenAPI spec and authenticated with bearer API keys.

Base URL: https://forg.pro/api/v1
Auth: Authorization: Bearer forg_live_{32hex} | forg_test_{32hex}
Spec: https://forg.pro/api/v1/openapi.json

Most non-SCIM routes are read-only; certain resources (webhooks, projects, alerts, goals, and API keys) support scoped writes. SCIM provisioning endpoints require a separate org SCIM bearer token.

Generated endpoint index (from OpenAPI)

The table below is generated directly from readOnlySpec() (the same source used by /api/v1/openapi.json), so docs stay aligned with the published spec.

MethodPathSummaryAuth
GET/api/v1/alertsList alertsAPI key bearer
GET/api/v1/api-keysList API keysAPI key bearer
GET/api/v1/audit-logList audit log entriesAPI key bearer
GET/api/v1/audit-log/streamGet SIEM stream configAPI key bearer
GET/api/v1/gateway/keysList virtual gateway keysAPI key bearer
GET/api/v1/gateway/requestsList recent gateway requestsAPI key bearer
GET/api/v1/goalsList goalsAPI key bearer
GET/api/v1/goals/{goalId}Get goalAPI key bearer
GET/api/v1/license/machinesList licensed machinesAPI key bearer
GET/api/v1/meGet authenticated userAPI key bearer
GET/api/v1/me/dataExport personal data (GDPR Art. 20)API key bearer
GET/api/v1/org/{orgId}/analyticsOrg analyticsAPI key bearer
GET/api/v1/org/{orgId}/auditOrg audit logAPI key bearer
GET/api/v1/org/{orgId}/membersList org membersAPI key bearer
GET/api/v1/org/{orgId}/teamsList org teamsAPI key bearer
GET/api/v1/org/{orgId}/usageOrg 30-day usage KPIsAPI key bearer
GET/api/v1/profileGet profileAPI key bearer
GET/api/v1/projectsList projectsAPI key bearer
GET/api/v1/releases/latestLatest binary releaseAPI key bearer
GET/api/v1/scim/GroupsList SCIM groupsSCIM bearer
POST/api/v1/scim/GroupsCreate SCIM groupSCIM bearer
DELETE/api/v1/scim/Groups/{groupId}Delete SCIM groupSCIM bearer
GET/api/v1/scim/Groups/{groupId}Get SCIM groupSCIM bearer
PUT/api/v1/scim/Groups/{groupId}Replace SCIM groupSCIM bearer
GET/api/v1/scim/UsersList SCIM usersSCIM bearer
POST/api/v1/scim/UsersCreate SCIM userSCIM bearer
DELETE/api/v1/scim/Users/{userId}Deprovision SCIM userSCIM bearer
GET/api/v1/scim/Users/{userId}Get SCIM userSCIM bearer
PUT/api/v1/scim/Users/{userId}Replace SCIM userSCIM bearer
GET/api/v1/sessionsList telemetry sessionsAPI key bearer
GET/api/v1/sessions/{id}Get sessionAPI key bearer
GET/api/v1/sessions/{sessionId}/interventionsList interventions for a sessionAPI key bearer
GET/api/v1/team/{teamId}Get teamAPI key bearer
GET/api/v1/team/{teamId}/analyticsTeam analyticsAPI key bearer
GET/api/v1/team/{teamId}/membersList team membersAPI key bearer
GET/api/v1/webhooksList webhooksAPI key bearer
GET/api/v1/webhooks/{id}Get webhookAPI key bearer

2) Agent ingest API (internal, HMAC)

This surface is for FORG agent/runtime telemetry transport, not customer API-key integrations. Requests are signed per session and verified server-side.

Ingress surface: https://engine.forg.pro (and same-host /engine/v1 proxy)
Auth model: HMAC-SHA256 request signature over signed envelope + body hash
Key source: internal session-key exchange (operator/internal only)

Signed envelope headers:

HeaderPurpose
x-forg-deviceDevice fingerprint hash
x-forg-sessionSession UUID
x-forg-timestampFreshness window validation
x-forg-nonceReplay protection
x-forg-signatureHMAC signature

Do not send customer API keys to internal ingest endpoints.

OpenAPI spec

Import https://forg.pro/api/v1/openapi.json into Postman, Insomnia, or a client generator.

© 2026 FORG by UpgradIQ, Inc. All rights reserved.Edit this page on GitHub