Skip to main content

API Authentication

All requests to the Forest Public API require authentication using API tokens. This guide explains how to create, manage, and use API tokens securely.

Authentication Overview

Forest uses Bearer token authentication for API requests. Each token:
  • Is associated with a specific Forest project
  • Can have different permission scopes
  • Should be treated as sensitive credentials
  • Revocable at any time

Creating API Tokens

Step 1: Access Account Settings

  1. Log in to your Forest account
  2. Click on your User Profile avatar in the bottom left hand corner
  3. Click on Account Settings

Step 2: Generate Token

  1. From the list of existing tokens, click on Generate New Token
  2. Give it a name, and click on Generate Token

Step 3: Save Token

Important: Copy and save your token immediately. For security reasons, you won’t be able to see it again. If you lose the token, you’ll need to generate a new one.

Using API Tokens

Include your API token in the Authorization header of all requests using the Bearer scheme:

Example Requests

cURL:
JavaScript (Node.js):
Python:
Ruby:

Token Security

Storing Tokens Securely

Best Practice: Store API tokens in environment variables or secure secrets management systems, never in code or version control.
Environment Variables:
Secrets Managers:
  • AWS Secrets Manager
  • Google Cloud Secret Manager
  • Azure Key Vault
  • HashiCorp Vault
  • 1Password Secrets Automation

What NOT to Do

Never commit tokens to version control:
Never expose tokens in client-side code:
Never log tokens:

Secure Practices

Use environment variables:
Use secrets management:
Rotate tokens regularly:

Token Permissions

Permission Levels

Read-Only:
  • View activity logs
  • View admin logs
  • Read notes
  • Cannot create or modify data
Read-Write:
  • All read permissions
  • Create and update notes
  • Perform write operations (where available)

Scope Limitations

Limit token access to only the endpoints needed: Example: Audit-only token

Token Management

Listing Active Tokens

View all active tokens in Project Settings > API Access:
  • Token name
  • Creation date
  • Last used
  • Expiration date
  • Scopes

Rotating Tokens

Regular token rotation improves security:
  1. Generate a new token with same permissions
  2. Update all integrations to use new token
  3. Verify all integrations working
  4. Revoke the old token
Recommended rotation schedule:
  • Production: Every 90 days
  • Development: Every 180 days
  • Testing: As needed

Revoking Tokens

Immediately revoke a token if:
  • It may have been compromised
  • An integration is decommissioned
  • An team member with access leaves
  • You detect suspicious activity
To revoke:
  1. Go to Project Settings > API Access
  2. Find the token
  3. Click Revoke
  4. Confirm revocation
Revoking a token immediately stops all integrations using it. Ensure you update integrations before revoking.

Authentication Errors

401 Unauthorized

Cause: Missing, invalid, or expired token Response:
Solutions:
  • Verify token is included in Authorization header
  • Check token hasn’t expired
  • Ensure token format is correct (Bearer <token>)
  • Regenerate token if necessary

403 Forbidden

Cause: Token lacks required permissions Response:
Solutions:
  • Check token scopes include required permissions
  • Generate new token with appropriate scopes
  • Verify endpoint matches token permissions

Token Expired

Cause: Token past expiration date Response:
Solution:
  • Generate a new token
  • Update integration configuration
  • Consider longer expiration or no expiration for stable integrations

Best Practices

1. One Token Per Integration

Create separate tokens for each integration:

2. Principle of Least Privilege

Grant minimum necessary permissions:

3. Monitor Token Usage

Track token activity in Project Settings > API Access:
  • Last used timestamp
  • Request frequency
  • Error rates
  • Unusual patterns

4. Implement Error Handling

Handle authentication errors gracefully:

5. Audit Token Access

Regular security reviews:
  • Review active tokens monthly
  • Revoke unused tokens
  • Update token names to reflect current usage
  • Document token purpose and owner

Next Steps

Rate Limits

Understand API usage limits

Activity Logs

Start using the Activity Logs API

API Introduction

Back to API overview

Security

Learn about Forest security