Skip to main content

Overview

ForgeAI API keys let you authenticate requests to account-scoped endpoints without maintaining a live browser session. You can create keys from your account dashboard and use them in server-to-server integrations, bots, or custom tooling.
API keys are currently issued for personal use. They are tied to your Privy account (your Solana wallet identity). Each user can have up to 10 active keys.

Creating an API Key

  1. Sign in to forgeai.gg.
  2. Navigate to Account → API Keys.
  3. Click Create New Key.
  4. Give the key a name (e.g. my-bot-prod).
  5. Optionally set an expiry (1–365 days) and a webhook URL.
  6. Click Create.
Copy the key value immediately. It is shown only once at creation time and cannot be retrieved afterwards. If you lose it, revoke the key and create a new one.

Key format

API keys have a prefix followed by a random secret: 
fai_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
The prefix (keyPrefix) is stored in plaintext and shown in the key list view. Use it to identify which key is which without exposing the secret.

Using an API Key

Pass the key in the Authorization header: 
curl https://forgeai.gg/api/account \
  -H "Authorization: Bearer fai_live_YOUR_KEY_HERE"
Account-scoped endpoints (/api/account, /api/api-keys) require Privy session authentication via the privy-token cookie — not API keys. API keys are intended for future account-level endpoint access. Check the individual endpoint docs for authentication requirements.

Scopes

When creating a key you can specify scopes. Current supported scopes:
ScopeDescription
readRead-only access
writeWrite access
If no scopes are specified, the key defaults to ["read", "write"].

Webhook Configuration

If you provide a webhookUrl at creation time, ForgeAI will generate a webhookSecret (returned once at creation). Use this secret to verify the signature of incoming webhook requests from ForgeAI. Webhook payloads are signed using HMAC-SHA256 with the shared secret. Validate the signature on your server before processing the payload.

Revoking a Key

From the dashboard:
  1. Go to Account → API Keys.
  2. Find the key you want to revoke.
  3. Click Revoke.
Revoked keys immediately stop working. This cannot be undone — if you need access again, create a new key. You can also revoke a key via the API: 
curl -X DELETE https://forgeai.gg/api/api-keys/{keyId} \
  -H "Cookie: privy-token=YOUR_PRIVY_SESSION_TOKEN"

Key Management Best Practices

Create separate keys for each application or script. This lets you revoke access for a specific integration without affecting others.
For keys used in automated pipelines, set an expiry date and rotate them regularly. This limits the blast radius if a key is accidentally exposed.
Store API keys in environment variables or a secrets manager, never in your codebase or repository.
The API key list shows the lastUsedAt timestamp for each key. Keys that have not been used recently are candidates for revocation.

Next Steps

API Reference

Full endpoint reference including authentication details.

Register for a Tournament

Use the API to automate tournament registration.