Our Philosophy: Secure by Design

Jean Memory handles sensitive personal data, and we take that responsibility seriously. That’s why we’ve built our authentication system on the industry-standard OAuth 2.1 protocol. This ensures that user credentials are never shared with third-party applications and that users have full control over who can access their memory.

Two-Layer Security Architecture

Jean Memory uses a dual authentication system for maximum security:

Layer 1: Application Authentication

  • API Key: Each application gets a unique API key (jean_sk_...)
  • Purpose: Identifies and authorizes your application to use Jean Memory
  • Scope: Application-level permissions and billing

Layer 2: User Authentication

  • JWT Token: Each user gets a unique JWT token per session
  • Purpose: Identifies the specific user and their memories
  • Scope: User-specific data access and privacy

How They Work Together:

Authorization: Bearer <user_jwt_token>    # User identity
X-API-Key: jean_sk_your_app_key          # Application identity
The best part? All this security is completely invisible to developers. Our SDK handles OAuth 2.1 PKCE, JWT tokens, session persistence, and universal identity mapping automatically. You get enterprise-grade security with a 5-line integration. We provide two clear authentication flows to support different types of applications.

Flow 1: Browser-Based Apps (PKCE Grant)

This flow is designed for frontend applications (e.g., React, Vue, Svelte) running in a user’s browser. It uses the Proof Key for Code Exchange (PKCE) grant type, which is the current best practice for securing public clients.

Universal Identity System

Jean Memory now features a universal identity system that ensures users maintain the same identity across all applications and sessions. When a user signs in with their email (via Google, GitHub, or email auth), they are mapped to a single, permanent user ID. This means:
  • Consistent Identity: Users keep the same memories across different apps using Jean Memory
  • Provider Flexibility: Users can sign in with any supported provider and access the same account
  • Cross-Platform: The same user account works on web, mobile, and desktop applications

The Easy Way: 5 Lines of Code

For React developers, we’ve made this incredibly simple. Our SDK handles the entire OAuth 2.1 PKCE flow automatically, including session persistence and user identity management. 
import { JeanProvider, SignInWithJean, useJean } from '@jeanmemory/react';

function App() {
  return (
    <JeanProvider apiKey="jean_sk_your_api_key">
      <SignInWithJean onSuccess={(user) => console.log('Authenticated!')}>
        Sign In with Jean
      </SignInWithJean>
      <YourApp />
    </JeanProvider>
  );
}

function YourApp() {
  const { sendMessage, isAuthenticated, user } = useJean();

  if (!isAuthenticated) {
    return <div>Please sign in to continue</div>;
  }

  const handleChat = async () => {
    // Automatically uses authenticated user's context and memories
    const response = await sendMessage("What did I work on yesterday?");
    console.log(response);
  };

  return (
    <div>
      <h1>Welcome, {user.name}!</h1>
      <button onClick={handleChat}>Ask about my work</button>
    </div>
  );
}
What happens automatically:
  • OAuth 2.1 PKCE Flow: Secure authentication with Google (no client secrets needed)
  • Session Persistence: Users stay logged in across browser refreshes and tabs
  • Universal Identity: Same user account across all Jean Memory applications
  • Automatic API Requests: All memory queries include user context automatically
  • Error Recovery: Handles token expiration and network issues gracefully
When a user clicks “Sign In with Jean”, they are redirected to Google OAuth, authenticate securely, and return to your app with a persistent session. No complex token management or API calls required on your end.

Flow 2: Backend Services (Authorization Code Grant)

This flow is for trusted backend services that need to access a user’s memory on their behalf, even when the user is not actively present (e.g., for a background data sync). It uses the standard Authorization Code Grant. This is a more involved flow that requires server-side handling of secrets.

High-Level Steps

  1. User Authorization: Your application redirects the user to the Jean Memory authorization URL with your client_id and a redirect_uri.
  2. Grant Authorization Code: The user logs in and approves the request. Jean Memory redirects back to your redirect_uri with a temporary code.
  3. Exchange Code for Token: Your backend service makes a secure, server-to-server request to the Jean Memory token endpoint, exchanging the code (along with your client_id and client_secret) for an access_token and a refresh_token.
  4. Access API: Your service can now use the access_token to make authenticated requests to the Jean Memory API on the user’s behalf.
  5. Refresh Token: When the access_token expires, use the refresh_token to obtain a new one without requiring the user to log in again.
Getting Credentials: The server-to-server flow is intended for trusted partners and high-volume applications. Please contact our team to discuss your use case and receive a client_id and client_secret.
For detailed instructions on implementing this flow, please consult standard OAuth 2.1 documentation.

Live Demo

Want to see the OAuth 2.1 PKCE flow in action? Check out our Jean Authentication Demo Repository - a complete React application that demonstrates the 5-line integration promise. View Live Demo Repository → This demo shows:
  • Complete OAuth 2.1 PKCE authentication flow
  • Persistent user sessions with localStorage
  • Real-time AI chat with memory persistence
  • Universal identity across Jean Memory applications
  • Production-ready implementation with comprehensive documentation
The demo includes step-by-step setup instructions and can be running locally in under 5 minutes with just your API key.