Skip to content

API authentication

Programmatic access to the nara API uses server tokens — organization-bound bearer tokens generated by administrators in the webapp.

A server token identifies your organization, not an individual user. It grants full API access within your license tier; there are no per-token scopes.

Tokens have the format nara_sa_ followed by a random suffix, for example:

nara_sa_9fK2mQ7xR4tW8vLpN3jH6bC1dY5sA0eZgUoIiT-uXnM

nara stores only a SHA-256 hash of each token. The full value is shown once at generation time; afterwards only the first characters are displayed as a prefix so you can identify the token. Copy the token immediately and store it in a secret manager.

  1. Open Admin > Settings.

  2. In the Server token section, select Generate (or Regenerate to replace an existing token).

  3. Copy the displayed token. It cannot be retrieved again later.

Generating and managing tokens requires the serviceAccount.manage permission, which the built-in Admin role includes by default.

KindExpiryBehavior
Long-livedOptionalValid until revoked or expired
Short-livedRequired (expiresAt)Valid until the expiry timestamp
Single-useRequired (expiresAt)Automatically revoked after its first request

Revoke a token at any time to invalidate it immediately. To rotate, generate a new token, update your clients, then revoke the old one. Each token records a lastUsedAt timestamp on every request, so you can spot stale or unexpected usage before revoking.

Send the token in the Authorization header of every request:

Terminal window
curl https://app.nara.de/api/agent/run \
-H "Authorization: Bearer nara_sa_..."

Write requests (POST, PUT, PATCH) must also set Content-Type: application/json:

Terminal window
curl -X POST https://app.nara.de/api/memory/objects \
-H "Authorization: Bearer nara_sa_..." \
-H "Content-Type: application/json" \
-d '{ "typeId": "…", "contents": { "key": "value" } }'

Instead of a server token, you can authenticate as a user with a Clerk-issued JWT. Because a user can belong to multiple organizations, add the Clerk-Organization-Id header to select the organization:

Terminal window
curl https://app.nara.de/api/memory/types \
-H "Authorization: Bearer <clerk-jwt>" \
-H "Clerk-Organization-Id: <organization-id>"
StatusMeaning
400Invalid request body or parameters
401Missing, invalid, expired, or revoked token
402Insufficient credits to perform the operation
403Permission denied (for example, admin required)
404Resource not found
500Internal server error
  • Never commit tokens to source control. Keep them in environment variables or a secret manager.
  • Rotate tokens regularly and immediately after any suspected exposure.
  • Prefer short-lived or single-use tokens for automation that runs infrequently.
  • Review lastUsedAt timestamps to detect unused tokens and revoke them.

For the available endpoints, see the API reference.