Skip to main content
API Reference
Authentication
FORG uses different authentication models for different surfaces. Use the right one for the right API.
Customer REST API authentication (public /api/v1)
Customer REST endpoints use bearer API keys in the Authorization header.
Authorization: Bearer forg_live_{32hex}
Authorization: Bearer forg_test_{32hex}Create keys from /dashboard/account?section=keys. Most non-SCIM routes are read-only; certain resources (webhooks, projects, alerts, goals, and API keys) support scoped writes.
Example
curl https://forg.pro/api/v1/sessions -H "Authorization: Bearer $FORG_API_KEY"SCIM authentication (Enterprise provisioning)
SCIM endpoints (/api/v1/scim/*) use a separate org SCIM bearer token, not customer API keys.
Agent ingest authentication (internal)
Agent ingestion does not use customer API keys. It uses signed request envelopes:
x-forg-devicex-forg-sessionx-forg-timestampx-forg-noncex-forg-signature
These headers are verified with per-session HMAC keys through internal infrastructure.
Common auth errors
{ "error": "Unauthorized" } // missing/invalid bearer token
{ "error": "insufficient_scope" } // route not available for this auth mode
{ "error": "missing-signature" } // internal ingest request missing HMAC envelope© 2026 FORG by UpgradIQ, Inc. All rights reserved.Edit this page on GitHub