Docs version 1.0.0

Getting Started

Foundation docs that explain the platform architecture, onboarding flow, and how to deploy your first tenant app.

Forge CLI

Command reference, automation workflows, and provider integrations for the Forge CLI surface.

Forge API

HTTP API endpoints, authentication, and usage examples for automating projects outside the CLI.

SDK & Packages

Client libraries, hooks, and configuration helpers that power generated apps and the dashboard.

Integration Guides

How App Factory integrates with Supabase, Stripe, Vercel, domains, analytics, and legacy mobile tooling.

Operations & Compliance

Runbooks, infrastructure playbooks, security posture, audits, and the continuously updated changelog.

🔍⌘K

Start typing to search docs.

Authentication Patterns

1.0.0

Service tokens, organization scoping, and best practices.

On this page

API key scopes

Keys are tied to organizations; they cannot read data from other tenants.
Rotate keys through the dashboard or Doppler (ops/cli provides forge api keys coming soon).
Store keys in GitHub Actions or other CI providers as masked secrets.

The Forge API mirrors Supabase policies:

Requests run as a service role scoped to the organization provided in the key.
API responses only include prefixed tables for that org (e.g., demo_app_users).
Rate limiting sits in front of Supabase to guard shared resources.

Success

Keep the CLI for provisioning + deployment and reserve the API for querying state or integrating with external systems.

On-demand previews – Generate a temporary API key, provision an environment, and revoke the key once QA is complete.
Usage analytics – Poll the API for domain status, Supabase usage, and plan details to populate customer dashboards.
Support tooling – Build lightweight admin tools that call the API with limited keys instead of exposing Supabase directly.

Important

Never embed API keys in generated app code. Generated apps talk to Supabase directly with anon keys; API keys belong in servers or automation only.