Authentication
Remem uses API keys for tenant-scoped authentication and JWTs for admin access.
API Keys
All /v1/* endpoints require an API key passed in the X-API-Key header:
curl -H "X-API-Key: vlt_abc123..." https://api.remem.io/v1/query
- Tenant-scoped — each key belongs to exactly one tenant
- Prefixed — all keys start with
vlt_ for easy identification
- Revocable — revoked keys stop working immediately
- Hashed at rest — only the SHA-256 hash is stored in the database
Creating Keys
curl -X POST https://api.remem.io/v1/auth/api-keys \
-H "X-API-Key: vlt_existing_key..." \
-d '{"name": "production-agent"}'
The full key value is only returned at creation. Store it in a secrets manager.
Sensitivity Scoping
Each API key has a maximum sensitivity level that controls which documents it can access:
| Level | Access |
|---|
public | Only public documents |
internal | Public + internal documents |
confidential | Public + internal + confidential |
personal | All documents (default for new keys) |
Bearer Tokens (JWT)
Admin and dashboard endpoints accept JWT bearer tokens:
curl -H "Authorization: Bearer eyJhbG..." https://api.remem.io/v1/tenants/
Public Endpoints
These endpoints do not require authentication:
| Endpoint | Description |
|---|
GET / | API info |
GET /health | Health check |
GET /health/live | Liveness probe |
GET /health/ready | Readiness probe |
GET /health/services | Service connectivity |
POST /public/signup | Create tenant + return initial API key |
Rate Limits
Rate limits are applied per API key:
| Tier | Requests/min | Burst |
|---|
| Free | 60 | 10 |
| Pro | 600 | 50 |
429 Too Many Requests with a Retry-After header.
