Organizations & projects

How orgs, projects (namespaces), members, and tokens fit together.

Mnueron is multi-tenant from the ground up. Every memory belongs to exactly one org, and an org is partitioned into one or more projects (Mnueron internally calls these namespaces).

user ─┬─ org A
      │   ├─ project "default"
      │   ├─ project "work"
      │   └─ project "side-projects"
      └─ org B  (separate token, separate billing)

Org

The top-level tenant. Owns:

  • members (humans with org_members rows; roles: owner, admin, member)
  • API tokens (api_tokens rows; one cookie/Bearer per row)
  • a Stripe customer (when on a paid plan)
  • everything below — projects, memories, entities, webhooks, runbooks, exports

Every API token is scoped to one org. To work across orgs, mint a token per org and switch via the Authorization header.

Endpoints: /api/orgs, /api/orgs/:id, /api/orgs/:id/members.

Project (namespace)

A logical grouping of memories inside an org — same row as a namespace. Every memory has a namespace_id. The default namespace is literally named "default" and is auto-created the first time you save without specifying one.

Use projects to keep different problem domains separate:

  • One project per client
  • One project per side project
  • One project for "personal preferences" and another for "work decisions"

Endpoints: /api/projects, /api/projects/:id. The legacy /api/namespaces endpoint returns the same data in the older, lighter shape.

Members

An org has one or more org_members rows. Roles:

  • owner — full control (rename, delete, manage members, billing)
  • admin — manage memories, can't delete the org
  • member — read + write memories

Only owners can add/remove members today; admin role is reserved for future use. The last remaining owner can never be removed — you'd lose access to your own data.

Endpoints: /api/orgs/:id/members, /api/users, /api/users/:id.

Tokens

Each API token is its own row in api_tokens. The raw mnu_… string is hashed-only in the DB; you see it once at creation. Revoke any time via /account-settings/tokens or DELETE /api/auth/tokens/:id.

Token names are free-form labels — extension, ci, python-sdk — so you can spot abuse and revoke surgically.

Last updated 2026-05-24edit