Claim an agent into an organization
Agents
Claim an agent into an org
Binds an unclaimed (or legacy hash-claimed) agent to the authenticated caller and an organization.
POST
Claim an agent into an organization
Claim an agent: prove you hold its provider API key, take ownership, and place
it in one of your orgs. This is the canonical second half of the gateway-first
lifecycle — an agent provisioned by its first gateway traffic starts unclaimed
in the Mnemom Sandbox holding org, and
claim is how it gets an owner and a
real org.
Which one do you need? One question decides it: are you the agent, or adopting a pre-existing one? If your own key is the agent’s identity, you’re self-registering — use
POST /v1/agents, which does ownership and org placement in that one authenticated call (no separate claim step). Use claim to adopt an agent that already exists with an identity not derived from your key — typically one the gateway auto-provisioned into the Mnemom Sandbox before an authenticated owner existed. These answer different questions; neither is legacy. See Agent identity.Proving possession
hash_proof is the full 64-character hex SHA256(apiKey + '|' + agentName)
(or SHA256(apiKey) for an unnamed singleton agent) — the same value used at
registration. It proves you hold the provider key without transmitting it; the
API compares it against the stored proof and never sees your raw key.
Choosing the org
- Pass
org_id(anorg-…orpers-…id) to place the agent in a specific org. You must hold a member role on it (owner,admin, ormember). Claiming into an org you don’t belong to is rejected with403 agent_org_not_member; the errordetailscarryrequested_org_idandclaimable_orgs— the orgs you can claim into, as{ org_id, name, is_personal }objects. An unknownorg_idreturns400instead. - Omit
org_idand the agent lands in your personal org. This default is the smallest-blast-radius choice: a personal org contains only you, so an accidental claim can never over-share the agent to a team. To place the agent in a shared or company org, name it explicitly withorg_id.
200 response always reports the resolved org_id, so you know exactly
where the agent landed regardless of which path you took.
To discover which orgs you can claim into, use
GET /v1/orgs (or mnemom org list).
GET /v1/me/context returns your
active org plus your full membership list — the same set echoed in the 403
body.
Authentication
Claim is an authenticated call — the principal you authenticate as becomes the agent’s owner. An unauthenticated request returns401. (This is what
distinguishes adoption from self-register: there must be an owner to assign.)
Idempotency, re-home, and ownership
Think of claim as a declarative assertion: “this agent is mine, and it lives in the org I name.” Repeating that assertion as the rightful owner is always safe, so claim is idempotent for the same owner (200, never 409):
- Re-claim with the same (or no)
org_id→ no-op success. The originalclaimed_atis preserved. - Re-claim with a new
org_id→ the agent is re-homed (moved) to that org. Claim is therefore also how you move an agent you own between your orgs.
403 agent_cross_tenant. Holding a valid hash_proof lets you claim an
unowned agent; it never lets you take over one that already has an owner.Authorizations
Supabase JWT token in Authorization: Bearer header
Path Parameters
Agent identifier (e.g. smolt-abc123)
Body
application/json
Agent possession proof: the full 64-hex SHA-256 digest of ${apiKey}|${agentName} (or ${apiKey} for an unnamed singleton agent).
Pattern:
^[0-9a-f]{64}$Optional. The organization to claim the agent into (e.g. org-... or pers-...). The caller must be a member of this org (role floor: member). If omitted, the agent is claimed into the caller's personal org.