Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.mnemom.ai/llms.txt

Use this file to discover all available pages before exploring further.

Rotating your agent’s API key

When you rotate a provider API key (Anthropic, OpenAI, or Gemini), Mnemom would normally treat the new key as a brand-new, unregistered agent — losing your traces, alignment card, integrity score, and trust edges. Rekeying re-binds your existing agent to the new key in seconds, with no history lost.

How it works

Your agent is identified by the first 16 characters of the SHA-256 hash of your provider API key. Mnemom never stores or transmits your raw key — only this short hash. Rekeying atomically swaps the stored hash to match your new key, keeping the agent ID and all associated data intact. The operation is:
  • Atomic — conflict detection and hash swap happen in a single database transaction
  • Privacy-preserving — your raw API key is hashed client-side before any network call
  • Non-destructive — agent ID, traces, alignment card, integrity score, and trust edges are unchanged

Prerequisites

  • Your agent must be claimed and linked to your Mnemom account
  • You must have your new provider API key ready before starting

Option 1: Dashboard

2
Open your agent dashboard and click the Security tab.
3
Open the API key section
4
Scroll to API Key at the bottom of the Security tab and click Rotate Key.
5
Confirm the operation
6
Read the confirmation dialog, then click Continue.
7
Enter your new key
8
Enter your new provider API key in the input and confirm it. The key is hashed in your browser before being sent — it is never transmitted in raw form.
9
Done
10
A success notification confirms the re-binding. Update your ANTHROPIC_API_KEY (or equivalent) environment variable.

Option 2: API

Compute the SHA-256 hash of your new key client-side, then POST it: 
# Unnamed agent: hash the key directly
NEW_HASH=$(printf '%s' 'your-new-api-key' | sha256sum | cut -c1-16)

curl -X POST https://api.mnemom.ai/v1/agents/mnm-550e8400-e29b-41d4-a716-446655440000/rekey \
  -H "Authorization: Bearer <your-mnemom-token>" \
  -H "Content-Type: application/json" \
  -d "{\"new_key_hash\": \"$NEW_HASH\"}"
Named agents (registered with x-mnemom-agent header — the name is included in the hash): 
NEW_HASH=$(printf '%s' 'your-new-api-key|my-coder' | sha256sum | cut -c1-16)
Replace my-coder with the exact name used when the agent was registered. Check your agent details in the dashboard or via GET /v1/agents/{agent_id} to confirm the name. Success response: 
{
  "success": true,
  "agent_id": "mnm-550e8400-e29b-41d4-a716-446655440000",
  "rekeyed_at": "2026-03-31T12:00:00.000Z"
}

Reading your key prefix

After your first gateway request following this update, your agent displays the first 16 characters of its bound provider key — enough to identify the provider and key type without exposing sensitive material.
ProviderExample prefix
Anthropicsk-ant-api03-xx…
OpenAIsk-proj-xxxxxxx…
GeminiAIzaSyBxxxxxxxx…
Agents registered before this feature was shipped will show “Prefix not available” until they make their next gateway request, at which point the prefix is captured automatically.

Verifying your key binding

Not sure which key is bound to your agent? Use verify binding to confirm without rekeying.

Dashboard

In the agent Security tab, click Verify my key below the current key prefix display. Enter your key — the result appears inline.

API

KEY_HASH=$(printf '%s' 'your-api-key' | sha256sum | cut -c1-16)

curl -X POST https://api.mnemom.ai/v1/agents/mnm-550e8400-e29b-41d4-a716-446655440000/verify-binding \
  -H "Authorization: Bearer <your-mnemom-token>" \
  -H "Content-Type: application/json" \
  -d "{\"key_hash\": \"$KEY_HASH\"}"
Response: 
{ "bound": true, "key_prefix": "sk-ant-api03-xx" }

Multiple named agents from the same key

If you registered multiple named agents from the same provider key, each holds a distinct hash:
  • Agent A: SHA256(key|nameA).slice(0, 16)
  • Agent B: SHA256(key|nameB).slice(0, 16)
You must rekey each agent independently, using the correct hash for each name. Use the dashboard or API to rekey each one: 
# Via API — rekey agent-a
NEW_HASH_A=$(printf '%s' 'your-new-api-key|agent-a' | sha256sum | cut -c1-16)
curl -X POST https://api.mnemom.ai/v1/agents/AGENT_A_ID/rekey \
  -H "Authorization: Bearer <your-mnemom-token>" \
  -H "Content-Type: application/json" \
  -d "{\"new_key_hash\": \"$NEW_HASH_A\"}"

# Via API — rekey agent-b
NEW_HASH_B=$(printf '%s' 'your-new-api-key|agent-b' | sha256sum | cut -c1-16)
curl -X POST https://api.mnemom.ai/v1/agents/AGENT_B_ID/rekey \
  -H "Authorization: Bearer <your-mnemom-token>" \
  -H "Content-Type: application/json" \
  -d "{\"new_key_hash\": \"$NEW_HASH_B\"}"

Resolving key conflicts

If you used your new key to make a request before rekeying, the gateway auto-created a shadow agent for it. The rekey endpoint returns 409 Conflict with the shadow agent’s ID. To resolve:
  1. Note the conflict_agent_id from the error (409 response body or CLI output)
  2. In your dashboard, navigate to the shadow agent and Deactivate it (Settings tab → Deactivate)
    • Only do this if the shadow agent is unclaimed and has no meaningful history
  3. Retry the rekey
If the shadow agent has traces you want to keep, contact support@mnemom.ai before deactivating it.

Security notes

  • The raw API key is never transmitted to Mnemom. Only the 16-character SHA-256 prefix is sent.
  • The rekey operation is rate-limited per account to prevent abuse.
  • After rekeying, the old key no longer identifies this agent. Any infrastructure still using the old key will auto-create a new, unclaimed agent — rotate your environment variable promptly.
  • The rekeyed_at timestamp and a rekey_count are stored on the agent for audit purposes.