Security & Access
fibe.gg gives you granular control over how external tools and services interact with your account through API Keys and Webhooks.
API Keys
API Keys let you authenticate programmatically — for CI/CD pipelines, the MCP server, or any custom tooling.
Creating an API Key
- Go to Profile → API Keys
- Click New API Key
- Give it a descriptive label (e.g.,
GitHub Actions CI) - Select the scopes you need
- Copy your key — it will only be shown once
Store your key securely. fibe.gg only shows the full token at creation time.
Scopes
API keys are scoped — they only grant access to what you explicitly allow:
| Scope | Access |
|---|---|
playrooms:read | List and view Playrooms |
playrooms:write | Create Playrooms |
playrooms:delete | Delete Playrooms |
playspecs:read | List and view Playspecs |
playspecs:write | Create and update Playspecs |
playspecs:delete | Delete Playspecs |
playgrounds:read | List and view Playgrounds |
playgrounds:write | Create, extend, and recreate Playgrounds |
playgrounds:delete | Destroy Playgrounds |
playzones:read | List and view Playzones |
playzones:write | Create Playzones |
import_templates:read | Browse and search templates |
import_templates:write | Create and manage templates |
agents:read | List and view agents and their data |
agents:write | Manage agent data |
webhooks:read | View webhook endpoints and deliveries |
webhooks:write | Create and update webhook endpoints |
webhooks:delete | Delete webhook endpoints |
mcp:access | Connect to the MCP server |
repos:write | Create repositories and push files |
Key Lifecycle
- Expiry: Set an optional expiration date
- Rotation: Revoke and re-create keys at any time from your profile
- Last Used: Track when the key was last used for security auditing
Webhooks
Webhooks let external services receive real-time notifications when things happen in fibe.gg.
Supported Events
| Event | Triggered When |
|---|---|
playground.created | A Playground is successfully created |
playground.started | A Playground starts running |
playground.stopped | A Playground is stopped |
playground.destroyed | A Playground is destroyed |
playground.error | A Playground enters an error state |
playground.expiring | A Playground is about to expire |
playground.recreated | A Playground is recreated from scratch |
playroom.created | A new Playroom is registered |
playroom.deleted | A Playroom is deleted |
playspec.created | A new Playspec is created |
playspec.deleted | A Playspec is deleted |
Creating a Webhook Endpoint
- Go to Profile → Webhooks
- Click New Webhook
- Enter the target URL (must be HTTPS)
- Select the events you want to receive
- Optionally set a Secret to sign requests
- Click Save
Payload Format
All webhook events are delivered as HTTP POST requests:
{
"event": "playground.created",
"timestamp": "2024-01-15T10:30:00Z",
"data": {
"id": 123,
"name": "My Playground",
"status": "running"
}
}
Verifying Signatures
If you set a secret, fibe.gg signs each request with an X-Playground-Signature header:
X-Playground-Signature: sha256=abc123...
Verify it in your handler by computing HMAC-SHA256(secret, raw_body) and comparing.
Delivery Logs
Every webhook delivery is logged. Navigate to the webhook endpoint to inspect:
- Response status for each delivery
- Request/Response headers and body
- Failure reason if delivery failed
- Retry history for failed deliveries
Use Test Webhook to send a sample playground.created event to your endpoint and verify it's working correctly.