Authentication
The API authenticates with per-workspace API keys. (Signing in to the app itself uses WorkOS — SAML/OIDC SSO for Enterprise workspaces — but app sign-in is separate from API auth.)
API keys
Pass your key as Authorization: Bearer $FORUM_API_KEY. Generate and revoke keys in the app at API keys. Keys look like fmk_live_<32 hex> for production and fmk_test_<32 hex> for test mode (same host, test-mode data handling). Keys are stored hashed server-side and shown once at creation.
curl "https://api.forumatlas.com/v1/briefs" \
-H "Authorization: Bearer $FORUM_API_KEY"Scopes
Every key carries a scope list; endpoints are default-deny. The wildcard scopes * and all grant everything.
| Scope | Grants |
|---|---|
| query:read | POST /v1/query, /v1/causal, /v1/tutor |
| brief:read | GET /v1/briefs, /v1/briefs/{id}, /v1/briefs/{id}/bibliography |
| brief:write | POST /v1/brief (generate) |
| forecast:read | GET /v1/forecasts, /v1/forecasts/{id} |
| forecast:write | POST /v1/forecast (generate) |
| entities:read | all GET /v1/entities/* + POST /v1/entities/resolve |
| sources:read | GET /v1/sources*, /v1/documents/{id} |
| anomalies:write | POST /v1/anomalies/subscribe |
| usage:read | GET /v1/usage |
Tier gates
Some endpoints are additionally gated by plan tier, independent of scopes: on Free, POST /v1/brief is capped (30/mo) and tutor capped (20/mo); deliberate-mode query, forecast generation, causal, and anomalies/subscribe require Team or above. Exceeding a monthly cap returns a quota-exceeded error.
Per-Enterprise SSO (app sign-in)
Enterprise workspaces can configure SAML or OIDC SSO via WorkOS for signing in to the app. This governs who can access the workspace (and therefore mint API keys) — it is not an API authentication mode.