Authentication
All API requests require Bearer token authentication in the Authorization header:
Authorization: Bearer YOUR_API_TOKEN
The API validates:
- Token signature and integrity
- Token expiration
- Associated user permissions
- License status at token creation time
Tokens are cryptographically signed JSON Web Tokens (JWT) that contain:
- User identification
- Token expiration timestamp
- License validation information
- Creation timestamp
- Tokens are stored using Forge KVS (Key-Value Store) secrets
- Bank-level encryption for all stored tokens
- Tokens are hashed and cannot be retrieved after creation
- Tokens automatically expire based on selected period
- Expired tokens are rejected immediately
- No grace period after expiration
- Tokens created when license is active remain valid until expiration
- License status is validated at token creation time
- Tokens persist even if license expires after creation
- Navigate to API Token Management page
- Click "Create New Token"
- Configure label and expiration
- Copy token immediately (shown only once)
- View all active tokens in the management page
- See token label, creation date, and expiration date
- Cannot view token value after creation
- Locate token in the management page
- Click "Revoke" button
- Confirm revocation
- Token becomes invalid immediately
- Maximum tokens per instance: 50 tokens
- Maximum expiration period: 30 days
- Minimum expiration period: 1 day
- Token visibility: Shown only once at creation
- Store tokens in environment variables
- Use secret management systems
- Rotate tokens regularly
- Revoke unused tokens immediately
- Use HTTPS for all API requests
- Set shorter expiration periods for higher security
- Create separate tokens for different environments
- Never commit tokens to version control
- Don't expose tokens in client-side code
- Don't share tokens between environments
- Don't log tokens in application logs
- Don't send tokens over unencrypted connections
- Don't store tokens in plain text files
- Don't use expired or revoked tokens
Creation → Active → Expired/Revoked
- Creation: Token generated and displayed once
- Active: Token validates and authorizes API requests
- Expired/Revoked: Token becomes invalid and requests are rejected
Causes:
- Missing Authorization header
- Incorrect token format
- Token not found in system
Solutions:
- Verify header format:
Authorization: Bearer YOUR_TOKEN
- Check token was copied correctly
- Ensure token hasn't been deleted
Causes:
- Token expired
- Token verification failed
Solutions:
- Check token expiration date
- Create new token if expired
- Verify clock synchronization
Causes:
- License was inactive when token was created
- Token created during trial period that has ended
Solutions:
- Verify current license status
- Create new token with active license
- Contact admin to renew license
