Forge app getting 401 on /admin/v1/orgs with valid Admin API key !!

Hi @safa sahli 

This is a very common and well-documented Forge pitfall. The core issue is that Forge apps cannot use a plain Bearer token (API key) for the Atlassian Admin API — the Forge runtime has specific constraints on how external HTTP calls are authenticated.

Why curl works but Forge doesn't:

• curl uses your personal Admin API key directly as a Bearer token — this works for direct calls.
• Inside Forge, when you call an external URL using fetch(), Forge intercepts outbound calls and the Admin API at admin.atlassian.com/admin/v1/orgs is not a standard product API — it requires org-level authentication that Forge's asApp() and asUser() don't natively support.

The correct approach:

1. Store the API key as an encrypted Forge environment variable:
   bash

   forge variables set --encrypt ADMIN_API_KEY your-key-here

2. Use it with a manual Authorization header override inside your Forge function (in the backend resolver, not the UI):
   javascript

   import { fetch } from '@forge/api';
   const response = await fetch('https://api.atlassian.com/admin/v1/orgs', {
     headers: {
       'Authorization': `Bearer ${process.env.ADMIN_API_KEY}`,
       'Accept': 'application/json'
     }
   });

3. Ensure external fetch permissions are declared in your manifest.yml for the api.atlassian.com domain.

Hello @safa sahli 

I wouldn't be so quick to blame the API key just yet! Since your curl test worked fine, we already know the key itself is valid and the endpoint is happy to accept it. The real mystery here is likely how Forge is handling the request behind the scenes.

Org-level Admin APIs are a bit of a special case because they don't always play well with the standard Forge auth flow. You’ll want to double-check that this request is running through a backend resolver and that you've explicitly whitelisted api.atlassian.com in your manifest's external fetch permissions. The most common "gotcha" here is trying to use the standard asUser() or asApp() helpers since this needs a Bearer token, you actually need to use a regular fetch and manually set your Authorization header yourself.

If you’ve already got all that configured and you’re still seeing that 401, you might be bumping into a specific platform limitation. In that case, your best bet is to move the conversation over to the Atlassian Developer Community or reach out to support directly so the team can take a closer look at what’s happening under the hood.