You’ll use this when…
- Your services already talk to REST APIs and you want Mem0 to match that style.
- Teams on languages without the Mem0 SDK still need access to memories.
- You plan to explore or debug endpoints through the built-in OpenAPI page at
/docs.
Feature
- CRUD endpoints: Create, retrieve, search, update, delete, and reset memories by
user_id,agent_id, orrun_id. - Authentication: On by default. Dashboard sessions use JWTs; programmatic clients use per-user
X-API-Keyheaders. LegacyADMIN_API_KEYis still supported. - Status health check: Access base routes to confirm the server is online.
- OpenAPI explorer: Visit
/docsfor interactive testing and schema reference.
Configure it
Run with Docker Compose (development)
- Steps
-
Create
server/.envwith your keys: -
Bootstrap the stack in one command:
Or to start the stack only and finish setup via the browser wizard at http://localhost:3000:
-
API is at
http://localhost:8888. Code edits auto-reload.
Other install paths
Other install paths
Run with Docker
- Pull image
- Build locally
- Create a
.envfile withOPENAI_API_KEYandJWT_SECRET. - Run the container:
- Visit
http://localhost:8000.
Compose publishes internal port 8000 as 8888 on the host. Raw Docker and raw uvicorn listen on 8000 unless remapped.
JWT_SECRET is required once auth is enabled: the server returns 500 on auth endpoints if it’s unset. Generate one with openssl rand -base64 48. See Self-Hosted Setup for the full env var table.The REST server reads the same configuration you use locally, so you can point it at your preferred LLM, vector store, and reranker without changing code.
Authentication
Auth is on by default. Protected endpoints require either a JWT (from the dashboard login flow) or anX-API-Key header. The / redirect, /docs, and /openapi.json routes stay open so you can reach the OpenAPI explorer.
The
/docs OpenAPI explorer supports both auth modes. Click Authorize at the top of the page and paste either Bearer <access_token> (JWT) or your X-API-Key value. Protected endpoints return 401 until you authorize.
Log in and use a JWT
Register the first admin (only works when no user exists yet), then log in:access_token as a bearer token:
POST /auth/refresh.
Create and use a per-user API key
Create a key from the dashboard API Keys page, or callPOST /api-keys with a JWT. The full m0sk_... value is returned once at creation time: store it securely.
GET /api-keys and DELETE /api-keys/{id}.
Legacy ADMIN_API_KEY
Set the ADMIN_API_KEY environment variable and send it as X-API-Key. The request is treated as admin-level and is not tied to a dashboard user. This mode is kept for back-compat with older self-hosted deployments: prefer JWT or per-user keys for new setups.
See it in action
Create and search memories via HTTP
Expect a JSON response containing the new memory IDs and events (
ADD, etc.).explain to inspect the scoring signals used by OSS hybrid search:
score_details only when explanation mode is enabled.
Explore with OpenAPI docs
- Navigate to
http://localhost:8888/docs(Compose) orhttp://localhost:8000/docs(raw Docker / uvicorn). - Pick an endpoint (e.g.,
POST /search). - Fill in parameters and click Execute to try requests in-browser.
Endpoint reference
The OSS REST server exposes the following endpoints. None use the/v1/ prefix.
Memory operations
Authentication
API keys
All/api-keys endpoints require a JWT.
Request logs
Entities
The
/auth/*, /api-keys, /requests, and /entities routes are new to the self-hosted server and primarily back the dashboard, but you can call them directly from your own tooling.
Verify the feature is working
- Hit the root route and
/docsto confirm the server is reachable. - Run a full cycle:
POST /memories→GET /memories/{id}→DELETE /memories/{id}. - Watch server logs for import errors or provider misconfigurations during startup.
- Confirm environment variables (API keys, vector store credentials) load correctly when containers restart.
Best practices
- Keep auth on: Auth is enabled by default. Never set
AUTH_DISABLED=truein production. If you rely onADMIN_API_KEY, use a long value (16+ chars) or prefer per-user API keys. - Use HTTPS: Terminate TLS at your load balancer or reverse proxy.
- Monitor uptime: Track request rates, latency, and error codes per endpoint.
- Version configs: Keep environment files and Docker Compose definitions in source control.
- Limit exposure: Bind to private networks unless you explicitly need public access.
Configure OSS Components
Fine-tune LLMs, vector stores, and rerankers that power the REST server.
Automate Agent Integrations
See how services call the REST endpoints as part of an automation pipeline.