Documentation

Authentication & Security

Security and privacy are not add-ons; they are the foundational primitives of our infrastructure. We built this API so you can give your AI agents perfect memory without ever sacrificing your end-users' privacy.

This guide explains how to authenticate your API requests, manage your users securely, and understand our zero-logging cryptographic architecture.

1. API Authentication

All server-to-server requests to our API must be authenticated using your secret Maple Memory API Key. You can generate and revoke Maple Memory API Keys from your Developer Dashboard.

Pass your Maple Memory API Key in the Authorization HTTP header as a Bearer token.

HTTP

Python

POST /memories/search HTTP/1.1
Host: api.yourdomain.com
Authorization: Bearer heymaple_live_your_secret_heymaple_api_key_here
Content-Type: application/json

import requests

HEADERS = {
    "Authorization": "Bearer heymaple_live_your_secret_heymaple_api_key_here",
    "Content-Type": "application/json"
}

Security Best Practices

Never share your secret keys. Keep them out of version control using environment variables (.env).
Never expose keys in the browser. All calls should be routed through your own backend.
Rotate compromised keys immediately via the dashboard.

2. Multi-Tenancy (User Isolation)

Because you are building an application for your users, strict data isolation is critical. Our API is inherently multi-tenant.

Every memory node, conversation, and graph link is strictly bound to the specific user_id you provide in your request payload.

# The memories generated here will ONLY be accessible 
# when you pass "user_98765" in future requests.
payload = {
    "user_id": "user_98765",  # Your system's unique user identifier
    "content": "I need to update my billing address."
}

response = requests.post("https://api.yourdomain.com/chat", json=payload, headers=HEADERS)

How we enforce isolation

At the database level, Row-Level Security (RLS) and strict ORM scoping guarantee that it is mathematically impossible for a search query to return Memory Nodes belonging to a different user_id, even if the semantic vectors are identical.

3. Our "Zero-Logging" Privacy Architecture

Most AI infrastructure providers log your plaintext prompts to their databases. We don't. We operate as a "Blindfolded Middleman" using a three-step privacy protocol.

The "Digital Shredder" (RAM-Only Processing)

When you send a message, the plaintext exists only in RAM for the milliseconds it takes to process. The moment the API returns a response, our garbage collectors physically wipe the variables. We do not write plaintext to application logs.

Application-Level Encryption (AES-256)

Before any memory node is saved, it is encrypted using AES-256. If our DBAs look at your records, they see mathematical arrays and encrypted ciphertext (gAAAAABk7y...). Decryption keys live in isolated runtime environments.

The Vector Abstraction

To perform fast semantic searches, we index the Dense Vector. Because semantic vectors are mathematically irreversible, we can search accurately without ever needing to decrypt the actual text until the exact moment of retrieval.

4. Compliance & Trust

By utilizing our API, you drastically reduce your own infrastructure's compliance burden. Integrating our Contextual Memory Graphs helps accelerate your own path to SOC2 and HIPAA compliance.