Skip to main content
POST
/
orgs
/
{org_id}
/
api-keys
Create organization API key
curl --request POST \
  --url https://api.mnemom.ai/v1/orgs/{org_id}/api-keys \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "name": "<string>",
  "scopes": [
    "gateway",
    "api:read",
    "api:write"
  ]
}
'
{
  "key_id": "<string>",
  "key": "<string>",
  "key_prefix": "<string>",
  "name": "<string>",
  "org_id": "<string>",
  "scopes": [],
  "created_at": "2023-11-07T05:31:56Z",
  "last_used_at": "2023-11-07T05:31:56Z"
}

Documentation Index

Fetch the complete documentation index at: https://docs.mnemom.ai/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

Authorization
string
header
required

Supabase JWT token in Authorization: Bearer header

Path Parameters

org_id
string
required

Organization identifier (e.g. org-abc12345)

Body

application/json
name
string

Friendly name for the key (e.g., "ci-prod").

Maximum string length: 100
scopes
enum<string>[]

Capability set for this org key (ADR-049). If omitted, the API substitutes the default. The caller is already verified as owner/admin of this org by the route's RBAC gate, so admin:org is implicit-eligible here; admin:platform still requires Mnemom-staff role.

Capability-based scope (ADR-049). gateway permits gateway-worker traffic; api:read and api:write permit identity-scoped GET and write endpoints respectively; admin:org permits org-admin operations on orgs the bearer owns/admins (per-request membership re-check); admin:platform permits /v1/admin/* Mnemom-staff operations (per-request staff-role re-check). The legacy api scope is accepted for backward compatibility and aliased to api:read + api:write at the auth gate; new keys should use the canonical vocabulary.

Available options:
gateway,
api:read,
api:write,
admin:org,
admin:platform,
api

Response

Org API key created

key_id
string
key
string

Full secret key, only returned on creation

key_prefix
string
name
string
org_id
string | null
scopes
enum<string>[]

Capabilities granted to this key. Default for new keys is ["gateway", "api:read", "api:write"]. Admin scopes (admin:org, admin:platform) are opt-in and gated by the requester's role at mint time. See API Keys → Scope vocabulary.

Capability-based scope (ADR-049). gateway permits gateway-worker traffic; api:read and api:write permit identity-scoped GET and write endpoints respectively; admin:org permits org-admin operations on orgs the bearer owns/admins (per-request membership re-check); admin:platform permits /v1/admin/* Mnemom-staff operations (per-request staff-role re-check). The legacy api scope is accepted for backward compatibility and aliased to api:read + api:write at the auth gate; new keys should use the canonical vocabulary.

Available options:
gateway,
api:read,
api:write,
admin:org,
admin:platform,
api
created_at
string<date-time>
last_used_at
string<date-time> | null