Scope Reference
Rekall uses 14 granular scopes to control API access. Assign only the scopes your application needs following the principle of least privilege.
Scope format
Scopes follow the pattern resource:action. For example, memories:read grants read access to all memory types.
Memory Scopes
Control access to all 7 memory types (episodic, semantic, procedural, long-term, short-term, execution, preferences).
| Scope | Description |
|---|---|
memories:read | Read and search memories across all memory types. Includes listing, filtering, and semantic search. |
memories:write | Create and update memories of any type. Includes setting metadata, tags, and context. |
memories:delete | Delete individual memories or bulk-delete by filter. Permanent and irreversible. |
Entity Scopes
Control access to entities within the semantic knowledge graph.
| Scope | Description |
|---|---|
entities:read | Read entities from the knowledge graph. Includes listing, searching, and fetching entity details. |
entities:write | Create and update entities in the knowledge graph. Includes setting properties and types. |
entities:delete | Delete entities from the knowledge graph. Also removes associated relationships. |
Relationship Scopes
Control access to relationships between entities. Requires corresponding entity read access for traversal queries.
| Scope | Description |
|---|---|
relationships:read | Read relationships between entities. Includes traversal queries and relationship listing. |
relationships:write | Create and update relationships between entities. Includes setting relationship type and weight. |
Workflow Scopes
Control access to procedural workflow definitions and their execution.
| Scope | Description |
|---|---|
workflows:read | Read workflow definitions and execution history. Includes listing and status queries. |
workflows:write | Create, update, and trigger workflows. Includes defining steps, conditions, and schedules. |
Agent Scopes
Control access to agent husks, their lifecycle, and associated memory contexts.
| Scope | Description |
|---|---|
agents:read | Read agent husks and their associated memory contexts. Includes listing and status queries. |
agents:write | Create and update agent husks. Includes spawning, terminating, and configuring agent identity. |
Hive Scopes
Control access to hive management, membership, and shared memory contexts.
| Scope | Description |
|---|---|
hives:read | Read hive details, member lists, and shared memory contexts. Includes listing and search. |
hives:write | Create and manage hives. Includes adding/removing members and configuring shared memory access. |
Legacy Mapping
If you are migrating from Rekall v0.x, the legacy scopes map to the new granular scopes as follows. Legacy scopes are still accepted but will be deprecated in v2.0.
| Legacy Scope | New Scopes |
|---|---|
read | memories:readentities:readrelationships:readworkflows:readagents:readhives:read |
write | memories:writeentities:writerelationships:writeworkflows:writeagents:writehives:write |
delete | memories:deleteentities:delete |
Deprecation notice
Legacy scopes (read, write, delete) will be removed in Rekall v2.0. Migrate to granular scopes before the deprecation date.
Best Practices
Apply least privilege
Only grant the specific scopes your application needs. A read-only dashboard should not have write or delete access.
Separate keys per environment
Use different API keys for development, staging, and production. Each can have its own scope set.
Audit scope usage
Review your API key scopes regularly in the dashboard. Remove unused scopes to reduce your attack surface.
