MuninnDB

Security & Auth

API Keys

MuninnDB uses bearer token authentication. API keys follow the format mn_live_<random>. Keys are bcrypt-hashed at rest — never stored plaintext.

Keys are scoped to a vault. An agent with key mn_live_abc... can only access engrams in the vault the key was issued for. Cross-vault access is not possible with a vault-scoped key.

Vault Isolation

A vault is a namespace for engrams. All data in a vault is isolated — different agents, users, or applications each get their own vault. Isolation is enforced at the storage level via SipHash-keyed prefixes.

For local development, set auth.require_key: false in config to bypass authentication.

Transport Security

In production, run MuninnDB behind a TLS-terminating proxy (nginx, Caddy, AWS ALB). All protocols (MBP, gRPC, REST) support TLS when configured. For local development, plain TCP is used by default.

Auth Modes

  • Developmentauth.require_key: false. No authentication. Local use only.
  • Productionauth.require_key: true. All requests require a valid bearer token.
  • Admin mode — Admin tokens (prefix mn_admin_) can manage vaults and keys. Should never be used by agents.
← Previous Next →