API surfaces

Forte provides two sets of HTTPS API endpoints for most routes. You should choose which one to call based on where your code runs (server-side vs client-side) and which type of credential is available (a user session token or a Forte API token).

Client-side APIServer-side API
SDK namespaceforte.users.*forte.projects.*
Runs inBrowser or mobile app (Forte Websites)backend code (Forte Service)
CredentialEnd-user session cookieFORTE_API_TOKEN
Acts asThe signed-in end userThe project owner

Client-side API

You call the client-side API (forte.users.*) directly from a browser or mobile app. It authenticates with the end user's Forte-User-Session-Token cookie, which Forte sets automatically when a user logs in.

You can use it to:

  • Sign users in — Google OAuth, OTP via email or SMS
  • Read and update the signed-in user's profile
  • Manage the signed-in user's contact methods and verify them
  • Create and list the signed-in user's payments
  • Upload, share, and download content belonging to the signed-in user
  • Renew or invalidate the user's session

Because the credential is the session cookie, the client-side API is scoped to the signed-in user. One user cannot read or change another user's data.

No setup needed in the browser

Construct new ForteClient() with no arguments. The SDK relies on the Forte-User-Session-Token cookie, which is set automatically by Forte's authentication endpoints.

Server-side API

You call the server-side API (forte.projects.*) from your backend service. It authenticates with FORTE_API_TOKEN, which Forte injects automatically as an environment variable into every deployed service.

You can use it to:

  • Manage users as an administrator — list, search, suspend, delete
  • Read or set any user's contact methods without a verification code
  • Create payments on behalf of any user in the project
  • Manage services and website deployments
  • Read request logs, metrics, and build history
  • Send email or SMS to any user in the project
  • Create and revoke project-scoped API keys
Credential is automatic inside a Forte Service

When your code runs inside a Forte Service, FORTE_API_TOKEN is injected as an environment variable. Construct new ForteClient() with no arguments and the SDK picks it up.

Credential safety

Never ship FORTE_API_TOKEN to a browser

FORTE_API_TOKEN is a server-side secret. If it appears in a browser bundle or client-side JavaScript, any visitor to your site can use it to act as the project owner — reading all user data, suspending accounts, sending messages, and more.

FORTE_API_TOKEN belongs only in server-side code or backend environment variables. Forte intentionally keeps it out of Forte Websites for this reason.

The Forte-User-Session-Token cookie, by contrast, is designed to live in the browser. The cookie is scoped to one user in one project and grants no administrator privileges.

Choosing the right surface

You have…Use
The session cookie (user just logged in)Client-side API — forte.users.*
FORTE_API_TOKEN in a server environmentServer-side API — forte.projects.*
A need to act as the signed-in userClient-side API
A need to act on behalf of the projectServer-side API
A need to read another user's dataServer-side API

If the credential lives in a browser, use the client-side API. If it lives in a server environment variable, use the server-side API.

Common pairings

Most resources expose both surfaces — a user-scoped path the end user calls themselves, and a project-owner path your backend calls on their behalf.

ResourceClient-side (forte.users.*)Server-side (forte.projects.*)
Paymentsforte.users.createPaymentforte.projects.createPayment
Payment previewsforte.users.createPaymentPreviewforte.projects.createPaymentPreview
Contact methodsSelf-service add, verify, deleteAdmin add, override, mark verified without code
File contentOwn content onlyAny user's content

See Creating Payments for a full worked example of both surfaces side-by-side.

Constructing the client

The same ForteClient class serves both surfaces. Only the credential you construct it with changes:

  • Client-side (forte.users.*) — construct with no arguments; the Forte-User-Session-Token cookie authenticates each call.
  • Server-side inside a Forte Service (forte.projects.*) — construct with no arguments; the injected FORTE_API_TOKEN is picked up automatically.
  • Server-side outside Forte — pass FORTE_API_TOKEN explicitly.

See SDKs for installation and the full constructor reference in TypeScript, Java, and Python.

Search

Search documentation and console pages