Authentication & Keys
Every request authenticates with a bearer key: Authorization:
Bearer mv_…. Keys are stored only as SHA-256 hashes — nobody, including us, can
read your key back.
Key types#
| Type | Permissions | Typical use |
|---|---|---|
| Main | read + write | your backend, connectors, agents |
| Read-only | search and reads; any write returns 403 | dashboards, demos, untrusted surfaces |
Keys can carry an optional expiry — an expired key behaves like an invalid one.
Rotation#
POST /v1/memory/admin/rotate-key
→ {"api_key": "mv_NEW…", "message": "Key rotated. The previous key is now invalid…"}Rotation is immediate: the old key stops working as soon as the call returns, and the new key is shown once. Authenticate the call with the key you're rotating.
Lost your key?#
Use key recovery: enter your account email and a fresh key is issued (the old one is invalidated) — delivered via a one-time reveal link, never as a raw key in the email body.
Handling keys safely#
- Read keys from the environment (
LONGMEM_API_KEY) — both SDKs do this by default. - Never commit keys; RememberOS's own ingest can scan dropped content for secrets
(
SECRET_SCAN_MODE=warn|block). - Use a read-only key anywhere a key could leak to a browser or end user.