Scopes & Permissions

Rekall uses 14 granular scopes (resource:action) to control access to API resources. Scopes can be assigned to API keys, OAuth tokens, and agent tokens to enforce the principle of least privilege.

Least Privilege

Always assign the minimum set of scopes required for your use case. A memory reader does not need memory:write access. A search service does not need memory:delete.

All Scopes

Rekall has 14 scopes across 7 resources (memory, agent, webhook, user, org, apikey, oauth). Use the search box to filter by scope name or description.

ScopeDescription
memory:readRead memories, search, and run recall queries across all layers
memory:writeCreate and update memory entries
memory:deleteDelete memory entries permanently
agent:readRead agent constellations, runs, lineage, and thought streams
agent:spawnCreate agents, spawn child agents, and start runs
agent:manageUpdate, archive, and delete agents; write agent memory roles
webhook:readRead webhook configurations and delivery history
webhook:manageCreate, update, test, and delete webhooks
user:readRead the authenticated user profile and account state
user:writeUpdate the authenticated user profile and onboarding state
org:readRead hives (organizations), members, and shared configuration
org:manageCreate and delete hives, manage members and roles
apikey:manageCreate, rotate, and revoke API keys
oauth:manageManage OAuth applications and grants

Memory Scopes

Control access to the core memory CRUD operations including episodic, semantic, procedural, and all other memory types. Note that memory:delete is a separate grant from memory:write.

ScopeDescription
memory:readRead memories, search, and run recall queries across all layers
memory:writeCreate and update memory entries
memory:deleteDelete memory entries permanently

Agent Scopes

Control access to agent constellations. agent:read covers listing, runs, lineage, and thought streams; agent:spawn covers creating agents and starting runs; agent:manage covers mutation and deletion. Agent tokens (at_…) carry a subset of these scopes and are enforced per-route.

ScopeDescription
agent:readRead agent constellations, runs, lineage, and thought streams
agent:spawnCreate agents, spawn child agents, and start runs
agent:manageUpdate, archive, and delete agents; write agent memory roles

Webhook Scopes

Control access to webhook subscriptions and their delivery history.

ScopeDescription
webhook:readRead webhook configurations and delivery history
webhook:manageCreate, update, test, and delete webhooks

User Scopes

Control access to the authenticated user's own profile and account state.

ScopeDescription
user:readRead the authenticated user profile and account state
user:writeUpdate the authenticated user profile and onboarding state

Hive / Org Scopes

Control access to hives (organizations) -- shared memory spaces for team and multi-agent collaboration -- including membership and role management.

ScopeDescription
org:readRead hives (organizations), members, and shared configuration
org:manageCreate and delete hives, manage members and roles

Admin Scopes

Control credential management: API keys and OAuth applications.

ScopeDescription
apikey:manageCreate, rotate, and revoke API keys
oauth:manageManage OAuth applications and grants

Scope Hierarchy

Scopes follow a resource-action pattern: resource:action. Higher-privilege actions do not automatically include lower-privilege ones.

Independent scopes

Each scope is independent. Having memory:write does not grant memory:read. If your application needs to both read and write memories, you must request both scopes.

Delete requires explicit grant

memory:delete is always separate from memory:write and must be explicitly granted.

Cross-resource independence

Scopes for different resources are completely independent. memory:read does not grant access to agents, webhooks, or any other resource.

Common Scope Combinations

For a typical agent integration, you will likely need: memory:read, memory:write, and agent:read (plus agent:spawn if it starts runs).

Requesting Scopes

How you specify scopes depends on your authentication method:

API Keys
// Scopes are assigned when creating the key
const key = await rekall.apiKeys.create({
name: 'Agent Memory Access',
scopes: [
'memory:read',
'memory:write',
'agent:read',
'agent:spawn',
],
});
OAuth 2.0
// Scopes are requested in the authorization URL
const authUrl = new URL('https://api.rekall.ai/v1/oauth/authorize');
authUrl.searchParams.set('client_id', 'rkapp_your_client_id');
authUrl.searchParams.set('scope', 'memory:read memory:write agent:read');
// ...other parameters

Checking Permissions

You can check what scopes a token or key has by calling the introspection endpoint or checking the response headers.

// Check scopes via the introspection endpoint
const tokenInfo = await rekall.auth.introspect();
console.log(tokenInfo.scopes);
// ["memory:read", "memory:write", "agent:read"]
// Or check the x-rekall-scopes response header
const response = await fetch('https://api.rekall.ai/v1/memories', {
headers: { 'Authorization': `Bearer ${apiKey}` },
});
const grantedScopes = response.headers.get('x-rekall-scopes');
console.log(grantedScopes);
// "memory:read,memory:write,agent:read"

Insufficient Scopes

If a request requires a scope that the token does not have, the API returns a 403 Forbidden response with a missing_scope error code and the required scope in the response body.

403 Forbidden response
{
"error": "missing_scope",
"message": "This action requires the 'memory:write' scope.",
"required_scope": "memory:write",
"granted_scopes": ["memory:read", "agent:read"]
}

Legacy Scope Mapping

Older API keys created before the granular scope system use legacy scopes. These are automatically mapped to the new system:

Legacy ScopeMaps To
read
memory:readagent:readuser:readorg:readwebhook:read
write
memory:writememory:deleteagent:spawnwebhook:manageuser:write
learn
agent:manage
admin
org:manageapikey:manageoauth:manage

Migration

Legacy scopes will continue to work indefinitely. However, we recommend migrating to granular scopes for better security. You can update a key's scopes in the dashboard or by creating a new key with the specific scopes you need.

Rekall
rekall