Memory endpoints now accept API key auth with per-key isolation
2026-03-25
What We Built
Relaxed authentication on 8 memory endpoints to accept API key auth as a fallback when no agent JWT session exists. Previously, memory endpoints derived the session key from the agent JWT's sid claim. For API key callers (like the Brainstorm CLI), the session key was undefined, meaning all API key holders within a tenant shared the same unscoped memory pool.
Now, API key callers get their own isolated memory scope using apikey:{apiKey.id} as the subject key. This provides per-API-key memory isolation without any schema changes — the existing session_id column in the RMM SQLite database serves as a generic subject key.
Why It Matters
The Brainstorm CLI authenticates with br_live_* API keys, not agent JWTs. Without this change, the CLI couldn't use memory endpoints with proper isolation. This is the foundation for CLI agents to store and retrieve context across sessions.
How It Works
Replaced requireAgentSession() with resolveMemorySubject() in src/api/routes/memory.ts:
- agent-jwt with sid: returns sessionId (unchanged)
- agent-jwt without sid + isolation enabled: returns 403 (unchanged)
- api_key auth: returns
apikey:{apiKey.id}(new — per-key scoped memory) - other: returns
undefined(tenant-wide, backward compat)
The apikey: prefix ensures API key memory subjects are naturally separated from agent JWT session IDs (which are UUIDs).
Lockstep Checklist
- [x] API Routes:
src/api/routes/memory.ts—resolveMemorySubjectreplacesrequireAgentSession - [x] TS SDK: N/A — no new endpoints or changed request/response contract
- [x] Python SDK: N/A — no new endpoints or changed request/response contract
- [x] MCP Schemas: N/A — no new tools needed
- [x] Tests:
src/api/routes/memory.test.ts— API key auth and isolation tests added