mnueron's hosted API accepts two equivalent forms of authentication.
Both resolve to the same row in api_tokens.
Bearer token (recommended for everything except the dashboard)
For SDKs, the Chrome extension's hosted mode, curl, scripts — anything
not running in a browser session — send the raw token in the
Authorization header:
GET /api/memories?limit=10 HTTP/1.1
Host: www.mnueron.com
Authorization: Bearer mnu_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Issue a token at https://www.mnueron.com/account-settings/tokens.
The raw mnu_... value is shown once at creation; store it in your
secrets manager immediately. The server only ever stores a SHA256
hash; if you lose the raw value, revoke and reissue.
Session cookie (browser / dashboard only)
When you sign in at /login, the server sets an httpOnly,
SameSite=Lax cookie named mnueron_session. The dashboard and
admin pages rely on this; you never see or set the cookie value
yourself. Cookie expiry is 60 days, refreshed on every /api/auth/me
call.
Which one when
| Caller | Auth method |
|---|---|
Browser hitting /dashboard, /admin, etc. | Cookie (automatic after login) |
@mnueron/sdk, mnueron (Python), Mnueron.NET | Bearer header |
| Chrome extension in local mode | (none — talks to 127.0.0.1:3122) |
| Chrome extension in hosted mode | Bearer header |
| curl / wget / Postman | Bearer header |
| Your own backend integrating mnueron | Bearer header |
Common pitfalls
- Pasting the cookie value as a bearer token. The cookie value and
the raw token happen to be the same string today; this works but
feels fragile. Use the explicit token from
/account-settings/tokensinstead. - Sending both a cookie and a header. No conflict — the server checks the cookie first, then falls back to the header. If the cookie is valid, the header is ignored.
- Token contains invisible characters. Some clipboard tools insert
trailing whitespace or smart-quote characters. In DevTools → Network,
click the failing request → Headers → confirm the
Authorizationvalue literally matches what you copied. - Older mnueron.com builds didn't accept the header. If you're on
a deploy before the bearer-auth fix landed and seeing 401 on every
SDK call, redeploy
main.
Revoking a token
UI: /account-settings/tokens → row → Revoke.
API:
curl -X DELETE \
-H "Authorization: Bearer mnu_..." \
https://www.mnueron.com/api/auth/tokens/<id>
Revocation is immediate. The next request using the revoked token returns 401.
Listing your tokens
curl -H "Authorization: Bearer mnu_..." \
https://www.mnueron.com/api/auth/tokens
Returns id, prefix (first 8 chars), name, created_at, last_used_at, and expires_at for every token on your account. Useful for spotting stale tokens to revoke.