MemgraphAI

Security & Multi-Tenancy

Memgraph is built for enterprise use with strict tenant isolation, RBAC, audit logging, and data export compliance.

Tenant Isolation

Every API query is scoped by tenant_id. This is enforced at the database query level — it is not possible for one tenant to access another tenant's data through the API.

Row-level scoping

Every SQL query includes a WHERE tenant_id = ? clause. Enforced by the auth middleware, not by individual endpoints.

API key isolation

Each API key is bound to exactly one tenant. The key hash maps to a tenant_id in the database.

JWT isolation

JWT tokens contain a user_id that maps to a tenant_id. Users cannot switch tenants via token.

E2E tested

The E2E smoke test creates two tenants and verifies that tenant B sees zero of tenant A's events, beliefs, threads, and stats.

API Key Security

  • Hashing: API keys are hashed with SHA-256 before storage. The plaintext key is only returned once at creation time and is never stored.
  • Prefix: All keys start with mg_ for easy identification in logs and config files.
  • Revocation: Keys can be instantly revoked via DELETE /v1/api-keys/{id}. Revoked keys immediately stop working.
  • Multiple keys: Each tenant can have multiple active API keys. Use separate keys for different environments (dev, staging, production).

JWT Security

  • Algorithm: HS256 (HMAC with SHA-256).
  • Signing key: Configured via SECRET_KEY environment variable. Must be at least 32 characters.
  • Expiration: Tokens expire after 7 days by default.
  • Password hashing: User passwords are hashed with bcrypt (via passlib).

Role-Based Access Control

Three-tier role hierarchy enforced on protected endpoints:

RoleLevelCan doCannot do
admin3Everything: export/import data, manage API keys, manage users, tenant settings-
editor2Read/write events, beliefs, episodes, documentsExport, import, manage tenant, manage API keys
viewer1Read events, beliefs, episodes, statsWrite operations, admin operations

Audit Logging

All key operations are logged to the audit_logs table for compliance and security monitoring.

Authentication

Login attempts, onboarding, password changes

Belief mutations

Create, update, supersede, delete, pin/unpin

API key management

Key creation, revocation

Data export/import

All export and import operations with counts

Tenant changes

Settings updates, policy changes

Episode operations

Tag updates, pin/unpin, dreaming triggers

Each audit entry records: tenant_id,actor_id,action,resource_type,resource_id,metadata, andtimestamp.

View the audit timeline via GET /v1/audit/timeline.

Rate Limiting

Per-tenant sliding window rate limiter. Default: 120 requests per minute per tenant.

  • Single instance: In-memory tracking (no configuration needed).
  • Multi-instance: Set REDIS_URL for distributed rate limiting using Redis sorted sets.
  • Exempt paths: /health,/docs,/openapi.json,/metrics are not rate limited.
  • 429 response: Includes Retry-After: 60 header.

Data Export (GDPR Compliance)

Export all tenant data as JSON for backup, migration, or GDPR data portability requests.

bash
# Export all tenant data (requires admin role)
curl https://api.memgraph.ai/v1/admin/export \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -o tenant_backup.json

# Response includes:
# {
#   "version": "1.0",
#   "tenant": { "id": "...", "name": "..." },
#   "events": [...],
#   "episodes": [...],
#   "beliefs": [...],
#   "documents": [...],
#   "counts": { "events": 42, "episodes": 5, "beliefs": 18, "documents": 3 }
# }

# Import data back
curl -X POST https://api.memgraph.ai/v1/admin/import \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d @tenant_backup.json

Monitoring

Memgraph exposes Prometheus-compatible metrics at the /metrics endpoint. This endpoint is public (no auth required) for easy scraping.

bash
curl http://localhost:8001/metrics

# Returns Prometheus text format with:
# - Request counts by endpoint
# - Response latencies
# - Active connections
# - Database pool stats

Additionally, GET /health returns a JSON health check including database connectivity status.

Production Security Checklist

Set ENVIRONMENT=production (disables anonymous access)
Generate a strong SECRET_KEY (min 32 chars, use secrets.token_urlsafe)
Use HTTPS for all API traffic (terminate TLS at load balancer)
Set a strong database password (not the default 'password')
Restrict database access to the API server only (no public exposure)
Rotate API keys periodically
Enable Redis for distributed rate limiting if running multiple instances
Set up Prometheus monitoring and alerting on /metrics
Back up the PostgreSQL database regularly
Review audit logs periodically (GET /v1/audit/timeline)