Skip to main content
API Reference

Authentication

FORG uses different authentication models for different surfaces. Use the right one for the right API.

Customer REST API authentication (public /api/v1)

Customer REST endpoints use bearer API keys in the Authorization header.

Authorization: Bearer forg_live_{32hex}
Authorization: Bearer forg_test_{32hex}

Create keys from /dashboard/account?section=keys. Most non-SCIM routes are read-only; certain resources (webhooks, projects, alerts, goals, and API keys) support scoped writes.

Example

curl https://forg.pro/api/v1/sessions   -H "Authorization: Bearer $FORG_API_KEY"

SCIM authentication (Enterprise provisioning)

SCIM endpoints (/api/v1/scim/*) use a separate org SCIM bearer token, not customer API keys.

Agent ingest authentication (internal)

Agent ingestion does not use customer API keys. It uses signed request envelopes:

  • x-forg-device
  • x-forg-session
  • x-forg-timestamp
  • x-forg-nonce
  • x-forg-signature

These headers are verified with per-session HMAC keys through internal infrastructure.

Common auth errors

{ "error": "Unauthorized" }        // missing/invalid bearer token
{ "error": "insufficient_scope" }   // route not available for this auth mode
{ "error": "missing-signature" }    // internal ingest request missing HMAC envelope
© 2026 FORG by UpgradIQ, Inc. All rights reserved.Edit this page on GitHub