ForgeBaaS / docs
Developer documentation

Build with ForgeBaaS

A REST backend you can call from anywhere. Authenticate with a single key, query your tables, upload files, and ship. Everything you need to integrate ForgeBaaS into your app — in one page.

Quickstart REST reference
Overview

What is ForgeBaaS?

ForgeBaaS gives you a managed REST backend for any project: data tables, authentication, storage, and serverless functions — accessible from any client over HTTPS using a single API key. No servers to maintain. No SQL to write.

  • Per-project isolation. Each project has its own keys and its own data.
  • fb_anon_ keys for browsers, fb_service_ keys for trusted servers.
  • Auto-generated REST endpoints for every table you define.
  • SHA-256 hashed keys at rest. Plaintext shown once.
Quickstart

Make your first request

  1. 1
    Create a project
    Sign in and click "+ New project" on your dashboard. You'll get an anon and service_role key.
  2. 2
    Copy the anon key
    It's shown ONCE. Store it in a safe place — you'll need it on every request.
  3. 3
    Define a table
    Open the project → Database → New table. Add column names + types.
  4. 4
    Send a request
    Use the snippets below to read or write data.
const res = await fetch(
  'https://forgebaas.com/api/v1/PROJECT_ID/TABLE_NAME',
  { headers: { Authorization: 'Bearer fb_anon_xxxxxxxx...' } }
);
const { data } = await res.json();
console.log(data);
Auth

Authentication

Every request must include an Authorization header with a valid project key:

Authorization: Bearer fb_anon_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Keys are matched by SHA-256 hash on the server. The plaintext key never leaves your machine after creation, and never appears in logs.

Never expose service_role keys in browsers
The fb_service_ key bypasses safety checks and grants full project access. Keep it on your server. Requests from a browser using a service key are rejected.
Keys

API key types

PrefixUseScopeRisk
fb_anon_…Browsers, mobile appsReads + writes restricted to whitelisted tablesSafe to ship in client code
fb_service_…Servers, cron jobs, webhooksFull project access, bypasses checksNever expose to clients

You can rotate any key from the project's API & Keys tab. Rotation issues a new plaintext (shown once) and invalidates the previous one immediately.

REST

REST API reference

Base URL:

https://forgebaas.com/api/v1/{projectId}
GET/api/v1/:projectId/:table

List rows in a table. Always scoped to your project_id.

Example response
{
  "data": [{ "id": "...", "title": "Hello" }],
  "count": 1
}
POST/api/v1/:projectId/:table

Insert a row. Body is validated against the columns defined in the project.

Example response
{
  "data": { "id": "...", "title": "Hello", "created_at": "..." },
  "error": null
}
DELETE/api/v1/:projectId/:table/:id

Delete a single row by id. Only succeeds if the row belongs to your project.

Example response
{ "success": true }
Schema

Tables & columns

Tables are declared from the dashboard, not by raw SQL. For each table you choose:

  • A table name (lowercase, snake_case).
  • One or more columns with a name and type: text, number, boolean, date.

The REST API automatically validates incoming bodies against your column definitions and rejects unknown tables with 403.

Errors

Error responses

StatusCodeWhen
400bad_requestInvalid body or missing required column
401unauthorizedMissing or invalid Authorization header
403forbiddenTable is not registered for this project, or service key from browser
404not_foundRow id does not exist in this project
429rate_limitedMore than 100 requests per minute for this key
500server_errorUnexpected error — please retry or contact support
Limits

Rate limits

Each API key is limited to 100 requests per minute. When you exceed it, the API returns:

HTTP/1.1 429 Too Many Requests
Retry-After: 30

{ "error": "rate_limited", "retry_after": 30 }

Need higher limits? Upgrade to Pro.

Security

How your data stays isolated

  • Every row inserted via the API is tagged with your project_id.
  • Every read filters by your project_id — no cross-tenant leakage.
  • Keys are hashed with SHA-256 before storage. Plaintext is shown once, then dropped.
  • Row-Level Security on the dashboard ensures only the owner can see project metadata.
Logs

Request logs

Every request to the public API is recorded with method, table, status code, and timestamp. View live logs from Project → Logs. Use them to debug integrations or monitor traffic.