Scopes & Permissions
Rekall uses 14 granular scopes (resource:action) to control access to API resources. Scopes can be assigned to API keys, OAuth tokens, and agent tokens to enforce the principle of least privilege.
Least Privilege
Always assign the minimum set of scopes required for your use case. A memory reader does not need memory:write access. A search service does not need memory:delete.
All Scopes
Rekall has 14 scopes across 7 resources (memory, agent, webhook, user, org, apikey, oauth). Use the search box to filter by scope name or description.
| Scope | Description |
|---|---|
memory:read | Read memories, search, and run recall queries across all layers |
memory:write | Create and update memory entries |
memory:delete | Delete memory entries permanently |
agent:read | Read agent constellations, runs, lineage, and thought streams |
agent:spawn | Create agents, spawn child agents, and start runs |
agent:manage | Update, archive, and delete agents; write agent memory roles |
webhook:read | Read webhook configurations and delivery history |
webhook:manage | Create, update, test, and delete webhooks |
user:read | Read the authenticated user profile and account state |
user:write | Update the authenticated user profile and onboarding state |
org:read | Read hives (organizations), members, and shared configuration |
org:manage | Create and delete hives, manage members and roles |
apikey:manage | Create, rotate, and revoke API keys |
oauth:manage | Manage OAuth applications and grants |
Memory Scopes
Control access to the core memory CRUD operations including episodic, semantic, procedural, and all other memory types. Note that memory:delete is a separate grant from memory:write.
| Scope | Description |
|---|---|
memory:read | Read memories, search, and run recall queries across all layers |
memory:write | Create and update memory entries |
memory:delete | Delete memory entries permanently |
Agent Scopes
Control access to agent constellations. agent:read covers listing, runs, lineage, and thought streams; agent:spawn covers creating agents and starting runs; agent:manage covers mutation and deletion. Agent tokens (at_…) carry a subset of these scopes and are enforced per-route.
| Scope | Description |
|---|---|
agent:read | Read agent constellations, runs, lineage, and thought streams |
agent:spawn | Create agents, spawn child agents, and start runs |
agent:manage | Update, archive, and delete agents; write agent memory roles |
Webhook Scopes
Control access to webhook subscriptions and their delivery history.
| Scope | Description |
|---|---|
webhook:read | Read webhook configurations and delivery history |
webhook:manage | Create, update, test, and delete webhooks |
User Scopes
Control access to the authenticated user's own profile and account state.
| Scope | Description |
|---|---|
user:read | Read the authenticated user profile and account state |
user:write | Update the authenticated user profile and onboarding state |
Hive / Org Scopes
Control access to hives (organizations) -- shared memory spaces for team and multi-agent collaboration -- including membership and role management.
| Scope | Description |
|---|---|
org:read | Read hives (organizations), members, and shared configuration |
org:manage | Create and delete hives, manage members and roles |
Admin Scopes
Control credential management: API keys and OAuth applications.
| Scope | Description |
|---|---|
apikey:manage | Create, rotate, and revoke API keys |
oauth:manage | Manage OAuth applications and grants |
Scope Hierarchy
Scopes follow a resource-action pattern: resource:action. Higher-privilege actions do not automatically include lower-privilege ones.
Independent scopes
Each scope is independent. Having memory:write does not grant memory:read. If your application needs to both read and write memories, you must request both scopes.
Delete requires explicit grant
memory:delete is always separate from memory:write and must be explicitly granted.
Cross-resource independence
Scopes for different resources are completely independent. memory:read does not grant access to agents, webhooks, or any other resource.
Common Scope Combinations
For a typical agent integration, you will likely need: memory:read, memory:write, and agent:read (plus agent:spawn if it starts runs).
Requesting Scopes
How you specify scopes depends on your authentication method:
// Scopes are assigned when creating the keyconst key = await rekall.apiKeys.create({name: 'Agent Memory Access',scopes: ['memory:read','memory:write','agent:read','agent:spawn',],});
// Scopes are requested in the authorization URLconst authUrl = new URL('https://api.rekall.ai/v1/oauth/authorize');authUrl.searchParams.set('client_id', 'rkapp_your_client_id');authUrl.searchParams.set('scope', 'memory:read memory:write agent:read');// ...other parameters
Checking Permissions
You can check what scopes a token or key has by calling the introspection endpoint or checking the response headers.
// Check scopes via the introspection endpointconst tokenInfo = await rekall.auth.introspect();console.log(tokenInfo.scopes);// ["memory:read", "memory:write", "agent:read"]// Or check the x-rekall-scopes response headerconst response = await fetch('https://api.rekall.ai/v1/memories', {headers: { 'Authorization': `Bearer ${apiKey}` },});const grantedScopes = response.headers.get('x-rekall-scopes');console.log(grantedScopes);// "memory:read,memory:write,agent:read"
Insufficient Scopes
If a request requires a scope that the token does not have, the API returns a 403 Forbidden response with a missing_scope error code and the required scope in the response body.
{"error": "missing_scope","message": "This action requires the 'memory:write' scope.","required_scope": "memory:write","granted_scopes": ["memory:read", "agent:read"]}
Legacy Scope Mapping
Older API keys created before the granular scope system use legacy scopes. These are automatically mapped to the new system:
| Legacy Scope | Maps To |
|---|---|
read | memory:readagent:readuser:readorg:readwebhook:read |
write | memory:writememory:deleteagent:spawnwebhook:manageuser:write |
learn | agent:manage |
admin | org:manageapikey:manageoauth:manage |
Migration
Legacy scopes will continue to work indefinitely. However, we recommend migrating to granular scopes for better security. You can update a key's scopes in the dashboard or by creating a new key with the specific scopes you need.
