Authentication
Scopes & permissions
How access control works
Scopes & permissions
API key scopes
When you create an API key, you select a scope that determines the key’s access level:
| Scope | Access | Use case |
|---|---|---|
owner | Read + write | Personal keys, full agent access |
member | Read-only | Organization keys, shared read access |
Default for personal keys: owner.
OAuth scopes
The OAuth flow advertises three scopes:
| Scope | Description |
|---|---|
memory:read | Read nodes, edges, and graph state |
memory:write | Create and update nodes and edges |
memory:admin | Full access including administrative operations |
Scope enforcement is primarily through plan limits and rate limits, not per-scope-string gating. All authenticated users have access to the tools their plan allows.
Plan-based enforcement
Access to certain features depends on your plan tier:
| Feature | Free | Basic | Pro | Business | Enterprise |
|---|---|---|---|---|---|
File upload (hm_upload_file) | No | No | Yes | Yes | Yes |
| Multiple graphs | 1 | 1 | 4 | 20 | Unlimited |
| Advanced analytics | No | No | No | Yes | Yes |
| SSO / SAML | No | No | No | No | Yes |
See Plans for the complete tier comparison.