f9447f8e5f
CI / typecheck · build · test · bundle-size (push) Failing after 1s
CI / clean-room dependency closure smoke (push) Failing after 1s
CI / server-runtime e2e (docker · pg + valkey) (push) Failing after 2s
Deploy Install Scripts / deploy (push) Failing after 2s
Windows / build (push) Has been cancelled
127 lines
5.4 KiB
Markdown
127 lines
5.4 KiB
Markdown
# Server API
|
|
|
|
REST V1 is mounted under `/v1`; legacy worker routes remain under `/api`.
|
|
|
|
Available beta endpoints:
|
|
|
|
- `GET /healthz`
|
|
- `GET /v1/info`
|
|
- `GET /v1/projects`
|
|
- `POST /v1/projects`
|
|
- `GET /v1/projects/:id`
|
|
- `POST /v1/sessions/start`
|
|
- `POST /v1/sessions/:id/end`
|
|
- `GET /v1/sessions/:id`
|
|
- `POST /v1/events`
|
|
- `POST /v1/events/batch`
|
|
- `GET /v1/events/:id`
|
|
- `POST /v1/memories`
|
|
- `GET /v1/memories/:id`
|
|
- `PATCH /v1/memories/:id`
|
|
- `POST /v1/search`
|
|
- `POST /v1/context`
|
|
- `ALL /v1/mcp` (remote MCP recall — see below)
|
|
- `POST /v1/keys`
|
|
- `GET /v1/connect`
|
|
- `GET /v1/usage`
|
|
- `DELETE /v1/memories/:id`
|
|
- `DELETE /v1/projects/:projectId/memory`
|
|
- `GET /v1/audit?projectId=<id>`
|
|
|
|
When `CLAUDE_MEM_AUTH_MODE=api-key`, send `Authorization: Bearer <key>`. Read endpoints require `memories:read`; write endpoints require `memories:write`.
|
|
|
|
## Rate limiting, quota, and usage metering
|
|
|
|
These paid-readiness guards run after auth and are **opt-in via env** — unset (the
|
|
default) means no rate limit, no quota, and no metering, so behavior is unchanged.
|
|
|
|
- `CLAUDE_MEM_RATE_LIMIT_PER_MIN` — max requests per API key per minute. Over the
|
|
limit returns `429` with `Retry-After` (and `X-RateLimit-*` headers). Fail-open.
|
|
- `CLAUDE_MEM_MONTHLY_REQUEST_CAP` — max requests per team per calendar month
|
|
(UTC). At the cap, returns `402 quota_exceeded`. Fail-open.
|
|
- `CLAUDE_MEM_MONTHLY_TOKEN_CAP` — max provider tokens per team per month. Gates
|
|
**writes only** (ingestion drives generation = token spend); reads stay
|
|
available so a team over budget can still recall. `402` at the cap. Fail-open.
|
|
- `CLAUDE_MEM_USAGE_METERING=1` — record one `request` usage event per
|
|
authenticated call (fire-and-forget). Token/observation metering writes to the
|
|
same `usage_events` table from the generation worker.
|
|
|
|
`GET /v1/usage` returns the caller team's per-kind totals for the current month:
|
|
|
|
```json
|
|
{ "since": "2026-06-01T00:00:00.000Z", "usage": { "request": 1280, "observation": 44 } }
|
|
```
|
|
|
|
## Connecting an MCP client (key issuance + connect)
|
|
|
|
- `POST /v1/keys` (**write** scope) mints a **read-only** API key for the caller's
|
|
team and returns the paste-ready connect command. The raw key is shown **once**.
|
|
Body: `{ "expiresInDays"?: number }`. Minting requires write scope so a read key
|
|
can't escalate into more keys.
|
|
|
|
```json
|
|
{
|
|
"id": "...", "apiKey": "cm_...", "scopes": ["memories:read"], "expiresAt": null,
|
|
"mcpUrl": "https://<host>/v1/mcp",
|
|
"connectCommand": "claude mcp add --transport http claude-mem https://<host>/v1/mcp --header \"Authorization: Bearer cm_...\""
|
|
}
|
|
```
|
|
|
|
- `GET /v1/connect` (read scope) returns the same command with a `<YOUR_API_KEY>`
|
|
placeholder (a GET never mints). `mcpUrl` is built from `CLAUDE_MEM_PUBLIC_URL`
|
|
(recommended behind a proxy) or the request host.
|
|
|
|
> Cold-start note: minting the team's *first* key still needs a session-gated path
|
|
> (web dashboard). better-auth's `apiKey()` plugin exists but writes to a separate
|
|
> store than the Postgres `api_keys` these routes authenticate against — wiring the
|
|
> better-auth org → Server Beta team mapping is the remaining piece.
|
|
|
|
## Event generation semantics
|
|
|
|
`POST /v1/events` accepts two query flags that control observation generation:
|
|
|
|
- `generate=false` — write the event but do not enqueue a generation job.
|
|
- `wait=true` — return the `generationJob` descriptor in the response, so
|
|
callers can poll `GET /v1/jobs/:id` for completion.
|
|
|
|
Without `wait=true`, the response includes the new event row and a best-
|
|
effort `generationJob` field. With `wait=true`, the `generationJob` field is
|
|
always populated (or `null` only when generation was explicitly disabled).
|
|
The actual provider call happens in a separate BullMQ worker process
|
|
(`claude-mem server worker start`); the HTTP path never blocks on a
|
|
provider response.
|
|
|
|
## Remote MCP endpoint
|
|
|
|
`/v1/mcp` is a streamable-HTTP [MCP](https://modelcontextprotocol.io) server —
|
|
the secure, authenticated link a user pastes into Claude Code (or any MCP
|
|
client) to recall their cloud memory. It is read-only and authenticated by the
|
|
same API key as the REST routes (`memories:read`); the key's team (and project,
|
|
if the key is project-scoped) bound every read.
|
|
|
|
Connect:
|
|
|
|
```bash
|
|
claude mcp add --transport http claude-mem <server-base>/v1/mcp \
|
|
--header "Authorization: Bearer cm_..."
|
|
```
|
|
|
|
Tools:
|
|
|
|
- `search` — `{ projectId, query, limit? }` → matching observations (FTS, same
|
|
path as `POST /v1/search`).
|
|
- `context` — `{ projectId, query, limit? }` → observations plus a concatenated
|
|
`context` string ready for prompt injection (same path as `POST /v1/context`).
|
|
- `recent` — `{ projectId, limit? }` → the newest observations for a project.
|
|
|
|
The transport is stateless: one MCP server + transport per request, so it needs
|
|
no session affinity behind a load balancer. Mutating tools are intentionally
|
|
absent — a pasted recall link cannot write.
|
|
|
|
## Data deletion (forget)
|
|
|
|
Right-to-erasure. Both require **write** scope and are scoped to the caller's team.
|
|
|
|
- `DELETE /v1/memories/:id` — delete a single observation (its sources cascade). `404` if it doesn't exist for the team.
|
|
- `DELETE /v1/projects/:projectId/memory` — purge ALL captured content for a project (observations, agent events, sessions, generation jobs); keeps the project shell. Returns per-table `counts`. `404` if the project doesn't belong to the team. Both are audited (`observation.deleted` / `project.memory_purged`).
|