Forkbit

Getting started

Authentication

The Forkbit API uses API keys. You authenticate every request by including your key in the X-API-Key header. There is no OAuth, no token rotation, and no PKCE required on your side. Your end users never sign in to Forkbit.

Get an API key

Sign in to the dashboard with Google, open the API keys tab, and create a named key (e.g. dev, staging, prod). The full key is shown once at creation, so copy it immediately. Forkbit only stores a SHA-256 hash, so we cannot recover it later.

Send your first authenticated request

curl
curl https://api.forkbit.io/v1/foods/search?q=oatmeal \
  -H "X-API-Key: fkb_live_xxxxxxxxxxxxxxxx"

Key prefixes

Every key is prefixed fkb_live_. The dashboard displays the first 8 characters of each key alongside its last-used timestamp so you can identify and rotate keys safely.

Revoking keys

Revoke a key from the dashboard at any time. Revoked keys stop authenticating immediately. The next request returns 401 with code KEY_REVOKED.

Security best practices

  • → Never embed a live key in a mobile or single-page app. Proxy through your backend.
  • → Use separate keys per environment so you can revoke without downtime.
  • → Rotate keys on staff changes or when a key has been exposed in logs.