MemtraceDOCS

memtrace accessEnterprise

Admin-only local credential commands for bootstrap, service accounts, offline access, and immediate revocation.

Usage#

memtrace access list|add|rotate|revokeEnterprise

memtrace access manages user credentials directly on a self-hosted MemDB. It uses the endpoint and TLS settings from the current workspace and the admin bearer stored for that endpoint. Mutations take effect immediately; they do not rewrite the mounted tokens.store or restart MemDB.

ORGANIZATION MEMBERS DO NOT NEED A CONNECTION FILE

For normal users, add the person on memtrace.io/account and have them run memtrace auth login followed by memtrace connect <organization-slug>. Use these commands for bootstrap, service accounts, air-gapped access, and urgent immediate revocation.

Owner prerequisite#

Connect the enterprise owner once with the owner-only file from the provisioning bundle:

terminal
memtrace connect cluster/owner-connect.json
memtrace access list

This stores the bootstrap admin bearer in the owner's local credentials.json. If no admin bearer is stored, access stops with an actionable connect command. A non-admin bearer is rejected by MemDB withPermissionDenied.

Commands#

CommandBehavior
memtrace access listLists managed token IDs, principals, roles, and active/revoked status.
memtrace access add <principal> [--role writer] [--out file]Creates one admin, writer, or reader credential. Writer is the default role.
memtrace access rotate <token-id> [--out file]Invalidates the old bearer immediately and returns a replacement once.
memtrace access revoke <token-id>Invalidates the current bearer immediately while retaining revoked metadata.
TOKEN ID IS NOT THE BEARER

List, rotate, and revoke use the safe identifier shown by access list, for example tok_01.... The bearer is a separate secret returned only when a credential is created or rotated.

Connection files#

Prefer --out. It writes the generated bearer directly into a user-specific connection file along with the current endpoint, database, org, license reference, and TLS CA. On Unix the file is created with 0600 permissions, and the CLI refuses to overwrite an existing path.

terminal
memtrace access add alice@example.com   --role writer   --out alice.connect.json

# Send alice.connect.json through a secure channel. Alice runs:
memtrace connect alice.connect.json
memtrace start
TREAT GENERATED CONNECTION FILES AS SECRETS

A user connection file contains a live bearer. Do not commit it, attach it to a ticket, or send it through ordinary chat. After the user connects, delete the transferred copy according to your secret-handling policy; their local credential is stored in credentials.json.

Security and persistence#

  • Only callers authenticated with the MemDB admin role can use token-management RPCs.
  • MemDB generates bearers with the operating system CSPRNG and returns plaintext exactly once.
  • Only BLAKE3 hashes and token metadata are persisted.
  • The last available administrator cannot be revoked.
  • Duplicate active principals and unknown roles are rejected.
  • Managed state persists at <data-dir>/auth/managed_tokens.toml.

Docker volumes and single-replica Kubernetes PVCs retain this file across restarts. Multi-replica raft token replication is not yet supported; see Self-hosted access for the deployment boundary.

Examples#

terminal
# Create a normal engineer credential
memtrace access add alice@example.com --role writer --out alice.connect.json

# Create read-only CI access
memtrace access add reports-ci --role reader --out reports-ci.connect.json

# Inspect IDs and status
memtrace access list

# Rotate and securely redistribute the replacement
memtrace access rotate tok_01ABC... --out alice.rotated.connect.json

# Revoke access immediately
memtrace access revoke tok_01ABC...

See also memtrace connect, Self-hosted access, and Deploy MemDB.