Security & Authentication
Security is paramount when managing sensitive memory data. This guide explains the comprehensive security features of the Papr Memory API, including authentication, authorization, and data protection.
Authentication Methods
The Papr Memory API supports three authentication methods as defined in the API specification:
1. API Keys
Include your API key in the X-API-Key header:
// Initialize the Papr client with an API key
import Papr from '@papr/memory';
const client = new Papr({
apiKey: process.env.PAPR_MEMORY_API_KEY
});2. Bearer Token
Include your OAuth2 token from Auth0 in the Authorization header:
// Initialize with Bearer token
import Papr from '@papr/memory';
const client = new Papr({
bearerToken: process.env.PAPR_MEMORY_BEARER_TOKEN
});3. Session Token
Include your session token in the X-Session-Token header:
// Initialize with Session token
import Papr from '@papr/memory';
const client = new Papr({
sessionToken: 'YOUR_SESSION_TOKEN'
});Role-Based Access Control
Implementing fine-grained access control:
// Create roles
const role = await papr.security.createRole({
name: 'MemoryAnalyst',
permissions: [
'memory:read',
'analytics:read',
'context:read'
]
});
// Assign role to user
await papr.security.assignRoleToUser({
userId: 'user-123',
roleId: role.id
});
// Check permissions
const hasPermission = await papr.security.checkPermission({
userId: 'user-123',
permission: 'memory:read'
});Data Encryption
The Papr API provides multiple layers of encryption:
Encryption at Rest
All stored memories are automatically encrypted at rest using AES-256.
Client-Side Encryption
For additional security, implement client-side encryption:
// Enable client-side encryption
papr.security.enableClientSideEncryption({
algorithm: 'AES-GCM',
keySize: 256,
keyProvider: 'local'
});
// Store encrypted memory
const memory = await papr.memory.add({
content: "Sensitive information",
encrypt: true,
metadata: {
classification: "confidential"
}
});Data Access Policies
Create and manage fine-grained access policies:
// Create a data access policy
const policy = await papr.security.createPolicy({
name: "FinancialDataAccess",
rules: [
{
resources: ["memories"],
conditions: {
"metadata.department": "finance",
"metadata.classification": {
$in: ["internal", "confidential"]
}
},
actions: ["read", "update"],
effect: "allow"
}
],
priority: 10
});
// Attach policy to role
await papr.security.attachPolicyToRole({
policyId: policy.id,
roleId: "role-finance-team"
});Audit Logging
Track all security-related events:
// Enable detailed audit logging
papr.security.enableAuditLogging({
level: "detailed",
destinations: ["internal", "webhook"],
webhookUrl: "https://your-app.com/audit-webhook"
});
// Retrieve audit logs
const logs = await papr.security.getAuditLogs({
timeframe: {
start: "2023-01-01T00:00:00Z",
end: "2023-01-31T23:59:59Z"
},
filter: {
action: "memory.access",
userId: "user-123"
},
limit: 100
});IP Restrictions
Limit API access to specific IP addresses:
// Set IP restrictions
await papr.security.setIpRestrictions({
enabled: true,
allowedIps: [
"203.0.113.0/24",
"198.51.100.7"
]
});Security Best Practices
- Rotate API Keys: Regularly rotate API keys and credentials
- Principle of Least Privilege: Grant only the permissions needed
- Encrypt Sensitive Data: Use client-side encryption for highly sensitive data
- Monitor Activity: Regularly review activity for suspicious patterns
- Implement Rate Limiting: Protect against brute force and denial of service attacks
- Use Environment Variables: Never hardcode credentials in your code
- Enable Compression: Use
Accept-Encoding: gzipfor secure, efficient data transfer
Next Steps
- Learn about Memory Management
- Explore Batch Processing
- See the complete API Reference