Administration
API keys
Granular, rotatable, restrict-by-network credentials for everything Mnemos does over HTTP.
Key types
- Workspace keys — bound to a workspace, can act as the workspace service principal. Cannot create new workspaces or modify billing.
- User keys — issued by a specific user; can't exceed that user's effective role.
- Integration keys — issued for a registered integration with a fixed scope set. Used by Mnemos' own connectors and partner platforms.
Scopes
Every key has an explicit scope list. The default is empty; you must grant at least one scope on creation.
| Scope | Grants |
|---|---|
| sessions:read | List and read sessions and their transcripts. |
| sessions:write | Create, update, and complete sessions. |
| sops:read | Read SOPs and versions. |
| sops:write | Create, edit, approve, and archive SOPs. |
| graph:read | Traverse the memory graph. |
| graph:write | Create or update entities and relationships. |
| search:read | Run AI search and chat queries. |
| members:read | List members and their roles. |
| members:write | Invite, remove, and re-role members. |
| audit:read | Read the audit log; required for export. |
| webhooks:manage | Create, update, and remove webhook endpoints. |
IP and environment restrictions
Each key can be locked to:
- CIDR ranges — list of allowed source networks (IPv4 and IPv6).
- Environment tags —
production,staging, or custom tags. Requests must include the matchingX-Mnemos-Envheader. - Time windows — optional allowed hours for cron-like keys.
curl
curl -X POST https://api.mnemos.ai/v1/api-keys \
-H "Authorization: Bearer $MNEMOS_ADMIN_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Salesforce sync (prod)",
"scopes": ["graph:write", "sops:read"],
"ip_allowlist": ["52.10.0.0/16"],
"environments": ["production"],
"expires_at": "2026-12-31T23:59:59Z"
}'Rotation
Each key supports overlapping rotation: you can mint a successor with the same name and scope set, then revoke the predecessor when your deploy is complete. Keys can also carry an explicit expires_at; they stop working at that timestamp and are surfaced in the audit log 30, 7, and 1 days before expiry.
Treat keys like passwords
Mnemos shows the secret value exactly once at creation time. Store it in your secrets manager immediately. If a key is leaked, revoke it from the admin console — revocation is instantaneous.