Authentication
All API requests must include a valid API key in the Authorization header.
Bearer token
Authorization: Bearer YOUR_API_KEYAPI keys have the prefix mmk_ followed by a hex string:
mmk_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4Scopes
Keys issued through the dashboard carry one of two scopes:
| Scope | Description |
|---|---|
read | Recall and verify only — no writes, no training |
full | Full access: store, recall, checkpoint, admin |
Read-only keys are safe to embed in client-side applications or share with third parties who need to verify facts but not write new ones.
Key rotation
Keys can be rotated from the dashboard. Rotation runs a multi-step process: a new key is generated, deployed to your substrate containers, and made available to claim. Your old key stays active until you claim the new key and update your client configuration — there is no forced cutover.
After claiming the new key from the dashboard:
- Open your Claude Desktop config (
Settings → Developer → Edit Config) and replace theAuthorizationheader value with the new key. - Restart Claude Desktop. Your substrate will reconnect automatically.
Never commit API keys to version control. Use environment variables:
MMPM_API_KEY=mmk_...in.env.local.
MCP OAuth2
The MCP server (port 3001) additionally supports OAuth2 for agent frameworks that
require it. See MCP Integration for details.