Authentication
API keys
Key format, creation, rotation, and storage
API keys
API keys authenticate requests to HyperMemory when you are not using OAuth.
Key format
| Property | Value |
|---|---|
| Prefix | hm_ |
| Body | 64 hexadecimal characters |
| Example | hm_a1b2c3d4e5f6... (64 hex chars) |
Keys are stored server-side as a SHA-256 hash. The full key is shown only once at creation time.
Create a key
- Go to app.hypermemory.io
- Click API Keys in the main navigation
- Click Create key
- Select which graph the key will have access to (if your plan supports multiple graphs)
- Choose a scope:
owner(read + write) ormember(read-only) - Copy the key — it is shown once
Use a key
Pass the key as a Bearer token:
Authorization: Bearer hm_YOUR_KEYOr set the environment variable:
export HYPERMEMORY_API_KEY=hm_YOUR_KEYThe hm CLI reads this variable automatically. See MCP with API key for client-specific configuration.
Key binding
Each API key is bound to a specific graph at creation time. When authenticating with an API key, the middleware detects the hm_ prefix and resolves your tenant from the api_keys system table.
Key scopes
| Scope | Access | Default for |
|---|---|---|
owner | Read + write | Personal keys |
member | Read-only | Organization keys |
Rotate a key
- Create a new key with the same scope and graph binding
- Update your clients to use the new key
- Revoke the old key
Revoke a key
Revoking is immediate. The key stops working on the next request.
Go to API Keys in the main navigation and click Revoke next to the key.