All protected API calls require a bearer token.
These examples show the minimum flow: set environment variables, send token-authenticated requests, and keep scope boundaries explicit.
Permission model recap:
- permissions are
{resource}:{operation}(for examplememories:read,knowledge:write) - shorthand
read/write/edit/deleteexpands across all resources - token access is downscoped by both declared permissions and token scope restrictions
export POSTBRAIN_URL="http://localhost:7433"
export POSTBRAIN_TOKEN="<token>"Use this as your first connectivity/auth check:
curl -sS -H "Authorization: Bearer ${POSTBRAIN_TOKEN}" \
"${POSTBRAIN_URL}/v1/principals"Create dedicated tokens per workload instead of sharing one long-lived token across systems:
postbrain token create --name "automation" --principal "acme-platform"When using clients/agents, set a default scope and keep tokens least-privilege.
export POSTBRAIN_SCOPE="project:your-org/your-repo"This reduces accidental cross-scope access and keeps automation behavior predictable.