> ## Documentation Index
> Fetch the complete documentation index at: https://docs.forgegames.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Access Control

> Securely authenticate API requests and protect your team's data

## What is Access Control?

Access Control in Forge ensures that only authorized applications can interact with your team's entities. This is achieved through **Basic Authentication**, where you use a secret key to authenticate your API requests. Proper implementation of access control is essential to protect your team's data and prevent unauthorized modifications.

***

## Creating Secrets for API Access

To authenticate with Forge, you need to create a **secret key** and use it in your server-side application. Follow these steps to set up your secret:

1. **Navigate to the Secrets Page**:

   * Go to the API Keys page in Forge.
   * Generate a new secret for your team. This secret acts as the password for API requests.

2. **Store the Secret Securely**:

   * Save the generated secret in a secure environment variable, such as `process.env.FORGE_SECRET`.
   * Avoid storing secrets in your source code to prevent accidental exposure.

3. **Obtain Your Team ID**:
   * Your `teamId` (used as the username in authentication) is available in your team's settings.

***

## Implementing Access Control in Your Application

### Example Integration

Use your `teamId` and secret in a server-side application to authenticate API requests:

#### Environment Variables

Store your credentials securely in environment variables:

```env theme={null}
FORGE_TEAM_ID=your_team_id
FORGE_SECRET=your_secret_key
```

#### Authentication Header

Generate the `Authorization` header by combining the `teamId` and secret as `teamId:secret`, then base64 encode it.

Example in Node.js:

```javascript theme={null}
const teamId = process.env.FORGE_TEAM_ID;
const secret = process.env.FORGE_SECRET;

const authHeader = `Basic ${Buffer.from(`${teamId}:${secret}`).toString("base64")}`;

// Example API request using Axios
const axios = require("axios");
axios
  .get("https://api.forgegames.org/teams/team123/items", {
    headers: {
      Authorization: authHeader,
    },
  })
  .then((response) => {
    console.log(response.data);
  })
  .catch((error) => {
    console.error(error);
  });
```

***

## Important Security Considerations

1. **Always Use Server-Side Applications**:

   * Secrets must never be exposed in client-side code (e.g., in a browser or mobile app). If exposed, anyone could use them to access your team's data and modify its entities.

2. **Restrict Access**:

   * Store secrets in a secure location, such as environment variables or a secret management system (e.g., AWS Secrets Manager, HashiCorp Vault).

3. **Rotate Secrets Regularly**:

   * Update your secrets periodically or when you suspect they may have been exposed. Use the [Secrets page](/secrets) to rotate keys.

4. **Use HTTPS**:
   * Always send API requests over HTTPS to encrypt the credentials during transmission.

<Tip>
  By keeping secrets secure and using them exclusively in server-side
  applications, you protect your team’s entities from unauthorized access or
  modification.
</Tip>

***

## Why Access Control Matters

Implementing proper access control ensures that:

* Your team’s data is secure from unauthorized access.
* Only trusted server-side applications can make changes to your entities.
* You maintain full control over who can interact with your game resources.
