memtrace accessEnterprise
Admin-only local credential commands for bootstrap, service accounts, offline access, and immediate revocation.
Usage#
memtrace access list|add|rotate|revokeEnterprisememtrace access manages user credentials directly on a self-hosted MemDB. It uses the endpoint and TLS settings from the current workspace and the admin bearer stored for that endpoint. Mutations take effect immediately; they do not rewrite the mounted tokens.store or restart MemDB.
For normal users, add the person on memtrace.io/account and have them run memtrace auth login followed by memtrace connect <organization-slug>. Use these commands for bootstrap, service accounts, air-gapped access, and urgent immediate revocation.
Owner prerequisite#
Connect the enterprise owner once with the owner-only file from the provisioning bundle:
memtrace connect cluster/owner-connect.json memtrace access list
This stores the bootstrap admin bearer in the owner's local credentials.json. If no admin bearer is stored, access stops with an actionable connect command. A non-admin bearer is rejected by MemDB withPermissionDenied.
Commands#
| Command | Behavior |
|---|---|
memtrace access list | Lists managed token IDs, principals, roles, and active/revoked status. |
memtrace access add <principal> [--role writer] [--out file] | Creates one admin, writer, or reader credential. Writer is the default role. |
memtrace access rotate <token-id> [--out file] | Invalidates the old bearer immediately and returns a replacement once. |
memtrace access revoke <token-id> | Invalidates the current bearer immediately while retaining revoked metadata. |
List, rotate, and revoke use the safe identifier shown by access list, for example tok_01.... The bearer is a separate secret returned only when a credential is created or rotated.
Connection files#
Prefer --out. It writes the generated bearer directly into a user-specific connection file along with the current endpoint, database, org, license reference, and TLS CA. On Unix the file is created with 0600 permissions, and the CLI refuses to overwrite an existing path.
memtrace access add alice@example.com --role writer --out alice.connect.json # Send alice.connect.json through a secure channel. Alice runs: memtrace connect alice.connect.json memtrace start
A user connection file contains a live bearer. Do not commit it, attach it to a ticket, or send it through ordinary chat. After the user connects, delete the transferred copy according to your secret-handling policy; their local credential is stored in credentials.json.
Security and persistence#
- Only callers authenticated with the MemDB
adminrole can use token-management RPCs. - MemDB generates bearers with the operating system CSPRNG and returns plaintext exactly once.
- Only BLAKE3 hashes and token metadata are persisted.
- The last available administrator cannot be revoked.
- Duplicate active principals and unknown roles are rejected.
- Managed state persists at
<data-dir>/auth/managed_tokens.toml.
Docker volumes and single-replica Kubernetes PVCs retain this file across restarts. Multi-replica raft token replication is not yet supported; see Self-hosted access for the deployment boundary.
Examples#
# Create a normal engineer credential memtrace access add alice@example.com --role writer --out alice.connect.json # Create read-only CI access memtrace access add reports-ci --role reader --out reports-ci.connect.json # Inspect IDs and status memtrace access list # Rotate and securely redistribute the replacement memtrace access rotate tok_01ABC... --out alice.rotated.connect.json # Revoke access immediately memtrace access revoke tok_01ABC...
See also memtrace connect, Self-hosted access, and Deploy MemDB.