API keys
All requests toapi.thrindex.com are authenticated with a Bearer token. API keys are created in the dashboard and scoped to an organization.
th_live_ followed by 64 hexadecimal characters (32 random bytes). This is the only authentication method accepted by the memory API.
Scopes
Each key is granted a subset of the following scopes. Only request the scopes your agent actually needs.| Scope | Grants access to |
|---|---|
memory:write | POST /v1/memories — store new memories |
memory:read | POST /v1/memories/search, GET /v1/memories, GET /v1/memories/{id} — retrieve memories |
memory:delete | DELETE /v1/memories/{id} — delete memories |
Missing scope errors
When a valid key is used for an endpoint it does not have scope for, the API returns401 with error code forbidden:
unauthorized (invalid or missing key), which is also 401 but with code unauthorized.
Rate limits
Rate limits are enforced per API key. When a key exceeds its configured request rate, the API returns429 Too Many Requests:
Retry-After: 1 header indicating how many seconds to wait before retrying. Both the Python and TypeScript SDKs respect this header automatically and retry without blocking.
Security best practices
Keep keys server-side
API keys must only be used from your backend. Never put them in:- Browser JavaScript or browser bundles
- Mobile app binaries
- Public repositories or commit history
- Client-side configuration files
One key per environment
Use separate keys for production, staging, and development. This limits the blast radius of any leak and lets you revoke individual environments without disrupting others.Store keys in secrets managers
Use environment variables backed by a secrets manager (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, etc.) or your platform’s native secret store (Vercel environment variables, Railway secrets, etc.).Rotate after a leak
If a key is compromised:- Create a new key with the same scopes.
- Deploy the new key to all services.
- Revoke the old key from the dashboard.
Data isolation
Every API key is tied to exactly one organization. Theorg_id is derived from the key during authentication and is never accepted from the request body. A key cannot read or write data belonging to another organization — this is enforced at the database level.