MemtraceDOCS

Self-hosted MemDB accessEnterprise

Add members on memtrace.io and let each member connect to your self-hosted MemDB with their own organization identity.

Organization membership is the normal access path for self-hosted MemDB. The owner adds a person to the organization on memtrace.io/account. That person signs in with the CLI and connects by organization slug. Memtrace verifies the active member and enterprise subscription, then the customer's MemDB creates a local, expiring bearer credential. No bearer file is sent between people.

How enrollment works#

Organization member enrollmentSEQUENCE
add Alice to organizationauth login + connect organization5-minute signed enrollment assertionexchange assertion locally24-hour bearer credential
Organization owner
memtrace.io
Alice / CLI
Self-hosted MemDB
SERVICEEXTERNALAGENT / AIINFRASTRUCTURE

The signed assertion is scoped to one organization, one install, and one role. It is not a data-access token. MemDB verifies it locally using the enrollment secret from the deployment bundle, stores only the BLAKE3 hash of the resulting bearer, and remains the data-plane authorization authority.

Owner setup#

  1. Deploy the current enterprise bundle using Deploy MemDB. The cluster must mount both cluster/tokens.store and cluster/enrollment.secret.
  2. Pin the deployed MemDB endpoint in the organization's enterprise configuration.
  3. Add members to the organization from memtrace.io/account.
USE A FRESH BUNDLE FOR ENROLLMENT

Older deployments without enrollment.secret cannot verify organization assertions. Upgrade MemDB and deploy a newly downloaded bundle once. The owner bootstrap file remains available for recovery.

Member connection#

Each member runs these commands in the repository that should use the shared MemDB:

terminal
memtrace install
memtrace auth login
memtrace connect <organization-slug>
memtrace start

memtrace connect uses the signed-in account, confirms current organization membership, asks the self-hosted MemDB to create the member's local bearer, writes secretless .memtrace/team.toml, and stores the bearer in that member's own credentials.json. The member never receives the owner token.

Credentials last 24 hours. memtrace start renews them automatically within the final hour. A temporary control-plane outage does not invalidate an unexpired credential; after expiry, the CLI asks the member to sign in and reconnect.

Roles and revocation#

Organization owners and admins enroll with the MemDB admin role. Other active organization members enroll as writer. Removing a member, ending the subscription, revoking the seat, or disabling the self-hosted entitlement prevents the next renewal. Existing credentials stop working at their hard expiry, so removal is bounded to at most 24 hours without requiring MemDB to call the cloud for every request.

IMMEDIATE REMOVAL

For an urgent incident, an owner can also revoke the active local credential with memtrace access revoke. Normal membership changes need no token file, Secret update, or container restart.

Local credential storage#

The shared cluster pointer lives in committable .memtrace/team.toml. The member's bearer and its expiry live in ~/.config/memtrace/credentials.json on Linux/macOS or the corresponding user config directory on Windows. The CLI creates and updates that file. Users should not download or hand-edit it.

memtrace connect --status reports the effective endpoint, database, organization, token presence, and live connectivity without printing credentials. memtrace connect --disconnect removes the workspace connection and the stored bearer for that endpoint; it does not remove the person from the organization.

Manual fallback#

cluster/owner-connect.json and memtrace access add|rotate|revoke remain available for bootstrap, air-gapped environments, service accounts, and recovery when organization enrollment cannot be used. Keep the owner file with cluster secrets. Do not distribute it to normal members.

terminal
# Owner or offline fallback only
memtrace connect cluster/owner-connect.json
memtrace access add reports-ci --role writer --out reports-ci.connect.json
A TOKEN HASH IS NOT A BEARER TOKEN

Values under hash = "..." in tokens.store are one-way BLAKE3 hashes. They cannot be used with --token and are never the value a member needs for organization enrollment.

Docker and Kubernetes#

Enrollment is supported by the enterprise Docker command and Helm values generated in the bundle. Both mount the organization enrollment secret read-only. The resulting managed credential registry is stored on MemDB's persistent data volume, so container and pod restarts retain it.

memtrace connect <organization-slug>Enterprise