Files
thedotmack-claude-mem/docs
ChenglinWei97 9cb6f07845 feat(server): key issuance + connect onboarding (POST /v1/keys, GET /v1/connect)
- POST /v1/keys (write scope) mints a READ-ONLY, optionally-expiring API key for
  the team and returns the paste-ready `claude mcp add ... /v1/mcp` command. Raw
  key shown once. Write-scope gate means a read key can't escalate into more keys.
- GET /v1/connect (read scope) returns the same command with a <YOUR_API_KEY>
  placeholder. mcpUrl comes from CLAUDE_MEM_PUBLIC_URL or the request host.

The minted key lands in the same Postgres api_keys store readAuth checks, so it
authenticates immediately — the test asserts a freshly-minted key calls /v1/usage
and gets 200. Cold-start (first key via web session) still needs the better-auth
org → team mapping; documented in api.md.

Tests (postgres-gated): mint → 201 + command shape, minted key authenticates,
read key can't mint (403), GET /v1/connect placeholder. Verified live 11/11; tsc clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 23:17:31 -07:00
..