Getting started
Authentication
The Forkbit API uses API keys. You authenticate every request by including your key in the X-API-Key header. There is no OAuth, no token rotation, and no PKCE required on your side. Your end users never sign in to Forkbit.
Get an API key
Sign in to the dashboard with Google, open the API keys tab, and create a named key (e.g. dev, staging, prod). The full key is shown once at creation, so copy it immediately. Forkbit only stores a SHA-256 hash, so we cannot recover it later.
Send your first authenticated request
curl https://api.forkbit.io/v1/foods/search?q=oatmeal \
-H "X-API-Key: fkb_live_xxxxxxxxxxxxxxxx"Key prefixes
Every key is prefixed fkb_live_. The dashboard displays the first 8 characters of each key alongside its last-used timestamp so you can identify and rotate keys safely.
Revoking keys
Revoke a key from the dashboard at any time. Revoked keys stop authenticating immediately. The next request returns 401 with code KEY_REVOKED.
Security best practices
- → Never embed a live key in a mobile or single-page app. Proxy through your backend.
- → Use separate keys per environment so you can revoke without downtime.
- → Rotate keys on staff changes or when a key has been exposed in logs.