Authentication
How API keys work and best practices for keeping them secure.
How it works
Every request to the GabForge AI API must include an Authorization header with a bearer token. The token is your API key, created from the dashboard.
Authorization: Bearer gab_sk_live_xxxxxxxxxxxxxxxx
Keys are prefixed with gab_sk_live_ for production and gab_sk_test_ for test environments.
Creating an API key
- 1Sign in at gabforge.ai/dashboard
- 2Click API Keys in the left sidebar
- 3Click Create new key and enter a descriptive name (e.g. "production-server")
- 4Copy the key immediately — it is shown only once. Store it in a password manager or secrets vault.
Revoking a key
Navigate to Dashboard → API Keys, find the key, and click Revoke. Revocation is immediate — any requests using that key will receive a 401 Unauthorized response.
Security best practices
Use environment variables
Store keys in .env files or your deployment platform's secrets manager. Never hard-code them in source files.
Never expose keys client-side
API calls should be made from your server, not from browser JavaScript or mobile apps where the key could be extracted.
Add .env to .gitignore
Ensure your .gitignore includes .env before the first commit. Use git secret scanning to catch accidental leaks.
Rotate keys periodically
Create a new key, update your deployment, verify it works, then revoke the old key. This minimises the blast radius if a key is ever compromised.