Authentication
API Keys​
All API endpoints use Bearer token authentication. SharedMemory uses scoped API keys with distinct prefixes:
| Prefix | Scope | Description |
|---|---|---|
sm_agent_ | Agent | Auto-generated when you create an agent. Scoped to a single project. |
sm_proj_rw_ | Project | Read/write project-level key for direct API access. |
sm_proj_r_ | Project | Read-only project key. |
sm_org_rw_ | Organization | Full org-level access (admin use only). |
Authorization: Bearer sm_agent_abc123...
Creating an Agent API Key​
Via Dashboard (recommended):
- Go to Agents → Create Agent
- Select the organization and project
- Give the agent a name and optional system prompt
- Copy the generated
sm_agent_key — it's shown only once
Via API:
curl -X POST https://api.sharedmemory.ai/agents \
-H "Authorization: Bearer <user-session-token>" \
-H "Content-Type: application/json" \
-d '{
"org_id": "your-org-id",
"project_id": "your-project-id",
"name": "my-agent",
"description": "My AI assistant"
}'
Response:
{
"agent": {
"agent_id": "a1b2c3d4-...",
"name": "my-agent"
},
"api_key": "sm_agent_abc123..."
}
warning
The API key is shown only once at creation time. Store it securely.
Key Rotation​
Rotate an agent's key without recreating it:
curl -X POST https://api.sharedmemory.ai/agents/<agent_id>/rotate-key \
-H "Authorization: Bearer <user-session-token>"
Key Security​
- Keys are stored as SHA-256 hashes — we cannot recover lost keys
- Only the first 16 characters (prefix) are stored for display
- Rotate keys via the dashboard or API (no need to recreate agents)
- Never commit keys to version control
User Authentication​
Dashboard and web app endpoints use Google OAuth 2.0 via passport-google-oauth20. These are not relevant for agent API usage.
Project Access​
Agents are scoped to a project at creation time. No separate "connect" step is needed — the agent key inherits access to its project's memory space automatically.