Authentication - Secure API Access
Instant JSON Validation and Transformation
Generate & Manage API Keys
JSONForge uses bearer tokens to authenticate programmatic access to the Validation, Transformation, and Schema endpoints. Each key is scoped to specific tenant workspaces and rate-limited at 12,000 requests per hour.
Navigate to the Developer Console, select your active workspace, and click "Create Credential." The system will generate a 64-character alphanumeric string prefixed with jf_live_. You will only see the full token once, so copy it immediately to a secure manager or directly into your local configuration.
Validation & Schema Checks
Use jf_live_ro_ prefixed keys for CI linting pipelines. These tokens can only hit /v2/validate and /v2/schema endpoints without triggering write operations or quota deductions.
Transform & Store
Standard jf_live_ keys unlock the /v2/transform and /v2/batch routes. Required for automated data cleansing, webhook payloads, and scheduled JSON-to-CSV exports.
Testing & Development
Keys prefixed with jf_test_ route traffic to isolated staging clusters. They inherit identical rate limits but never touch production datasets or trigger billing events.
Secure Credential Storage
Hardcoding tokens in source repositories instantly triggers our automated leak detection. JSONForge recommends storing credentials in environment variables or secrets managers to maintain compliance with SOC2 Type II and ISO 27001 standards.
On local machines, use export JSONFORGE_API_KEY="jf_live_..." in your shell profile. For containerized deployments, inject the token via Docker secrets or Kubernetes Secret objects rather than relying on .env files that may accidentally commit to version control.
Shell & Dotenv Configuration
Add JSONFORGE_API_KEY to your ~/.bashrc or ~/.zshrc. Node.js and Python projects should load the variable via process.env or os.environ before initializing the SDK client.
GitHub Actions & GitLab Runners
Store the token in repository Settings > Secrets and Variables. Reference it in workflow YAML files using ${{ secrets.JSONFORGE_API_KEY }} to prevent plaintext exposure in build logs.
HashiCorp Vault & AWS Secrets Manager
For production microservices, rotate keys programmatically using dynamic secrets. JSONForge supports short-lived tokens with 15-minute TTLs when fetched via IAM roles or Vault policies.
Rotation & Token Lifecycle
Proactive key rotation minimizes blast radius during credential exposure. JSONForge supports seamless handover by allowing two active keys per workspace, ensuring zero downtime during migration.
When you generate a replacement key, the previous token remains valid for 14 days. During this grace period, both keys route to the same rate-limit bucket and permission set. After day 14, the older key automatically deactivates and appears as "Revoked" in your audit trail.
Monitor Endpoint Hits
The dashboard tracks daily request volume per key. Alerts trigger at 80% and 95% of your 12,000 hourly limit, giving engineering teams time to scale or optimize payload sizes before throttling occurs.
Instant Deactivation
Compromised tokens can be terminated immediately from the Developer Console. Revocation takes effect within 60 seconds across all edge nodes. Full request logs are retained for 365 days for forensic review.
Scheduled Key Renewal
Enable the 90-day auto-rotation policy to have the system generate a fresh token and notify your webhook endpoint. Your infrastructure can fetch the new value and swap it without manual intervention.