Account and API keys

Use the Account page to sign in, then use Console for API key management and usage. Account, usage, and API-key routes require a signed-in browser or CLI session.

Base URL: https://api.marrow.id

Overview

GET /v1/account/overview

Auth: CLI sign-in or browser account session. Customer API keys do not authorize account-management endpoints.

The response summarizes the signed-in account, credit balance, record activity, and recent record processing jobs for Console:

{
  "schemaVersion": "marrow-account-overview-v2",
  "account": {
    "email": "[email protected]",
    "displayName": "Avery Quinn"
  },
  "credits": {
    "totalCreditsRemaining": 349
  },
  "recordCounts": {
    "total": 12
  },
  "sources": [],
  "ingestJobs": []
}

Usage

GET /v1/account/usage

Auth: CLI sign-in or browser account session. Customer API keys do not authorize account-management endpoints.

The response summarizes credits, quota counters, recent ledger rows, and daily usage buckets:

{
  "schemaVersion": "marrow-account-usage-v1",
  "credits": {
    "balance": {
      "totalRemaining": 349
    },
    "monthly": {
      "remaining": 99,
      "resetAt": "2026-06-01T00:00:00.000Z"
    },
    "onboarding": {
      "remaining": 250
    }
  }
}

API key lifecycle

Console is the primary place to create, copy, revoke, rotate, and review API keys. Newly created key secrets are shown once. Existing key secrets are never returned by the public API.

Customer API keys use four product scope labels:

Scope Allows
ingest Record submission and processing status
query Retrieve context from connected records
memory.read Read agent and native memory for the authenticated account
memory.write Write agent and native memory for the authenticated account

Account-management actions use CLI sign-in or a browser account session, not a customer API-key scope.

Default setup uses ingest and query. Add memory.read or memory.write when the app or agent needs those operations.

Use revoke for lost, rotated, or retired keys. Revoked keys stop authorizing requests while the account lifecycle remains intact.

Connected MCP applications

An MCP client connected through interactive authorization appears in Console as a connected application with access to the hosted 15-tool resource. Disconnecting an application revokes its authorization without signing out the browser session or revoking customer API keys.

Use a dedicated customer API key for a server-managed client that needs only memory.read or memory.write. Interactive applications remain resource-wide and individually revocable.

Delete account

Use the signed-in Account page to permanently delete the current account and its Marrow data. The confirmation requires the exact signed-in email address. Deletion signs out every browser and CLI session and invalidates every customer API key for the account.

If final cleanup cannot complete, the Account page enters a recovery-only state. That browser session can retry deletion or sign out, but it cannot open Console, link providers, or perform ordinary account operations.

DELETE /v1/account
Content-Type: application/json
X-Marrow-CSRF: 1

{"confirmation":"[email protected]"}

Auth: browser account session only. CLI sessions and customer API keys cannot authorize this route, and the request never accepts an account ID.

{
  "schemaVersion": "marrow-account-deletion-v1",
  "status": "deleted"
}

CLI mapping

Prefer Console for key management. These CLI commands are available when you need them locally:

marrow api-keys list
marrow api-keys create --name "Production app"
marrow api-keys create --name "Query only" --scope query
marrow api-keys create --name "Ingest and query" --scope ingest --scope query
marrow api-keys revoke <key-id>
marrow api-keys rotate <key-id>

Repeat --scope to add multiple scopes. API key lifecycle commands use your active CLI account session; the managed API key itself does not sign you in. Creating or rotating a key may show the new secret once; listing or revoking keys never shows secrets.

See Usage and credits for account usage details.