When do I use the client-side API vs the server-side API?
Use the client-side API (forte.users.*) from browsers and mobile apps — it authenticates with the signed-in user's session cookie and is scoped to that one user. Use the server-side API (forte.projects.*) from your backend — it authenticates with FORTE_API_TOKEN and acts as the project owner: admin user management, payments on behalf of any user, logs and metrics.
Rule of thumb: if the credential lives in a browser, it's client-side; if it lives in a server environment variable, it's server-side.