Authentication

Rekall supports multiple authentication methods to secure your API requests. Every request to the Rekall API must be authenticated using one of the methods described below.

Base URL

All API requests are made to https://api.rekall.ai/v1. Authentication credentials are passed via request headers.

Authentication Methods

API Keys

Personal access keys for direct API access. Ideal for server-side integrations and scripts.

Key prefix:rk_

OAuth 2.0

Authorization Code + PKCE flow for third-party apps that act on behalf of users.

Key prefix:rat_

Enterprise SSO

SAML 2.0 and OIDC single sign-on for enterprise teams with identity providers.

Sandbox Mode

Isolated testing environment with dedicated test keys. No production data access.

Key prefix:rk_test_

Choosing a Method

Use CaseRecommended Method
Server-side integration or scriptAPI Keys
Third-party app acting on behalf of usersOAuth 2.0
Enterprise team with identity providerEnterprise SSO
Local development or CI testingSandbox Mode
Agent integration (MCP, LangChain)API Keys + Scopes

Quick Start

The fastest way to authenticate is with an API key. Create one in your dashboard and pass it as a Bearer token:

import Rekall from '@rekall/sdk';


const rekall = new Rekall({
  apiKey: process.env.REKALL_API_KEY, // rk_...
});


const memories = await rekall.memories.list();

Security Best Practices

vpn_key

Use environment variables

Never hardcode API keys in source code. Store them in environment variables or a secrets manager.

sync

Rotate keys regularly

Rotate API keys every 90 days. Use the dashboard to create a new key before revoking the old one.

shield

Apply least-privilege scopes

Assign only the scopes your application needs. Avoid using admin keys where read-only access suffices.

science

Use sandbox keys for development

Use sandbox keys (rk_test_) during development. They are completely isolated from production data.

https

Always use HTTPS

All requests to the Rekall API are served over TLS. HTTP requests are rejected and never downgraded.

Key Exposure

If you suspect an API key has been exposed, revoke it immediately in your dashboard. Revoked keys are invalidated within 60 seconds across all edge locations.

Next Steps

Create your first API key →Set up OAuth 2.0 for your app →Explore scopes and permissions →Try sandbox mode →
Rekall
rekall