What is Access Control?

Access Control in Forge ensures that only authorized applications can interact with your team’s entities. This is achieved through Basic Authentication, where you use a secret key to authenticate your API requests. Proper implementation of access control is essential to protect your team’s data and prevent unauthorized modifications.

Creating Secrets for API Access

To authenticate with Forge, you need to create a secret key and use it in your server-side application. Follow these steps to set up your secret:
  1. Navigate to the Secrets Page:
    • Go to the API Keys page in Forge.
    • Generate a new secret for your team. This secret acts as the password for API requests.
  2. Store the Secret Securely:
    • Save the generated secret in a secure environment variable, such as process.env.FORGE_SECRET.
    • Avoid storing secrets in your source code to prevent accidental exposure.
  3. Obtain Your Team ID:
    • Your teamId (used as the username in authentication) is available in your team’s settings.

Implementing Access Control in Your Application

Example Integration

Use your teamId and secret in a server-side application to authenticate API requests:

Environment Variables

Store your credentials securely in environment variables: 
FORGE_TEAM_ID=your_team_id
FORGE_SECRET=your_secret_key

Authentication Header

Generate the Authorization header by combining the teamId and secret as teamId:secret, then base64 encode it. Example in Node.js: 
const teamId = process.env.FORGE_TEAM_ID;
const secret = process.env.FORGE_SECRET;

const authHeader = `Basic ${Buffer.from(`${teamId}:${secret}`).toString("base64")}`;

// Example API request using Axios
const axios = require("axios");
axios
  .get("https://api.forgegames.org/teams/team123/items", {
    headers: {
      Authorization: authHeader,
    },
  })
  .then((response) => {
    console.log(response.data);
  })
  .catch((error) => {
    console.error(error);
  });

Important Security Considerations

  1. Always Use Server-Side Applications:
    • Secrets must never be exposed in client-side code (e.g., in a browser or mobile app). If exposed, anyone could use them to access your team’s data and modify its entities.
  2. Restrict Access:
    • Store secrets in a secure location, such as environment variables or a secret management system (e.g., AWS Secrets Manager, HashiCorp Vault).
  3. Rotate Secrets Regularly:
    • Update your secrets periodically or when you suspect they may have been exposed. Use the Secrets page to rotate keys.
  4. Use HTTPS:
    • Always send API requests over HTTPS to encrypt the credentials during transmission.
By keeping secrets secure and using them exclusively in server-side applications, you protect your team’s entities from unauthorized access or modification.

Why Access Control Matters

Implementing proper access control ensures that:
  • Your team’s data is secure from unauthorized access.
  • Only trusted server-side applications can make changes to your entities.
  • You maintain full control over who can interact with your game resources.