API Tokens
API tokens authenticate game plugins and custom integrations against the Ingest API. Each token is scoped to a specific project and environment.
Token format
All logger tokens start with the prefix flg_ followed by a random string:
flg_a1b2c3d4e5f6g7h8i9j0...Creating a token
Navigate to Settings and click New Token.
| Field | Required | Description |
|---|---|---|
| Name | Yes | Descriptive name (3-120 characters), e.g. "Godot Dev", "CI Build" |
| Project | Yes | The project this token can write to |
| Environment | Yes | The environment this token is scoped to |
After creation, the full token is displayed once. Copy it immediately and store it securely. You will not be able to see the full token again.
Token list
The Settings page shows all active tokens with:
| Field | Description |
|---|---|
| Name | Token display name |
| Token preview | First and last characters of the token (e.g. flg_a1b2...j0k1) |
| Project | Associated project name |
| Environment | Associated environment name and color |
| Created | When the token was generated |
| Last used | When the token was last used for authentication (null if never used) |
Revoking a token
Click the Revoke button next to a token to permanently disable it. Revoked tokens cannot
be restored. Any game or plugin using the revoked token will receive 401 Unauthorized errors.
Using tokens
Include the token in the Authorization header of all Ingest API requests:
Authorization: Bearer flg_a1b2c3d4e5f6g7h8i9j0...In game engine plugins
- Godot — set the
api_keyin Project Settings underforge_logger/ - Unity — set the token in the ForgeLogger inspector (coming soon)
- Unreal — set the token in the ForgeLogger plugin settings (coming soon)
In custom integrations
const headers = {
'Authorization': `Bearer ${process.env.FORGE_LOGGER_TOKEN}`,
'Content-Type': 'application/json',
};Security best practices
- Never commit tokens to version control. Use environment variables or encrypted config.
- Rotate tokens regularly — create a new token, update your builds, then revoke the old one.
- Scope tokens tightly — create separate tokens for each environment. A production token should not be used in development builds.
- Monitor last used — if a token hasn’t been used in a long time, consider revoking it.