Skip to main content

Secure by Design

Jean Memory handles sensitive personal data, and we take that responsibility seriously. We’ve built our authentication system on the industry-standard OAuth 2.1 protocol. This ensures that user credentials are never shared with third-party applications and that users have full control over who can access their memory.

Two-Layer Security

Jean Memory uses a dual authentication system for maximum security:
  1. Application Authentication: Your unique API key (jean_sk_...) identifies your app and handles billing/rate limits.
  2. User Authentication: A JWT token identifies the specific user and their private memory scope.
Authorization: Bearer <user_jwt_token>    # User identity
X-API-Key: jean_sk_your_app_key          # Application identity
The best part? All this security is completely invisible to developers. Our SDK handles OAuth 2.1 PKCE, JWT tokens, session persistence, and universal identity mapping automatically.

Browser-Based Apps (PKCE)

This flow is designed for frontend applications (e.g., React, Vue, Svelte) running in a user’s browser. It uses the Proof Key for Code Exchange (PKCE) grant type, which is the current best practice for securing public clients.

Universal Identity System

Jean Memory now features a universal identity system that ensures users maintain the same identity across all applications and sessions.
  • Consistent Identity: Users keep the same memories across different apps using Jean Memory
  • Provider Flexibility: Users can sign in with any supported provider (Google, GitHub, etc.)
  • Cross-Platform: The same user account works on web, mobile, and desktop applications

The Easy Way

For React developers, we’ve made this incredibly simple. Our SDK handles the entire OAuth 2.1 PKCE flow automatically. 
import { JeanProvider, SignInWithJean, useJean } from '@jeanmemory/react';

function App() {
  return (
    <JeanProvider apiKey="jean_sk_your_api_key">
      <SignInWithJean onSuccess={(user) => console.log('Authenticated!')}>
        Sign In with Jean
      </SignInWithJean>
      <YourApp />
    </JeanProvider>
  );
}

function YourApp() {
  const { sendMessage, isAuthenticated, user } = useJean();

  if (!isAuthenticated) {
    return <div>Please sign in to continue</div>;
  }

  const handleChat = async () => {
    // Automatically uses authenticated user's context and memories
    const response = await sendMessage("What did I work on yesterday?");
    console.log(response);
  };

  return (
    <div>
      <h1>Welcome, {user.name}!</h1>
      <button onClick={handleChat}>Ask about my work</button>
    </div>
  );
}
What happens automatically:
  1. OAuth 2.1 PKCE Flow: Secure authentication with Google (no client secrets needed)
  2. Session Persistence: Users stay logged in across browser refreshes
  3. Automatic API Requests: All memory queries include user context automatically

Backend Services

This flow is for trusted backend services that need to access a user’s memory on their behalf, even when the user is not actively present (e.g., for a background data sync).
Getting Credentials: The server-to-server flow is intended for trusted partners and high-volume applications. Please contact our team to discuss your use case and receive a client_id and client_secret.
1

User Authorization

Your application redirects the user to the Jean Memory authorization URL with your client_id and a redirect_uri.
2

Grant Authorization Code

The user logs in and approves the request. Jean Memory redirects back to your redirect_uri with a temporary code.
3

Exchange Code for Token

Your backend service makes a secure, server-to-server request to the Jean Memory token endpoint, exchanging the code for an access_token.
4

Access API

Your service can now use the access_token to make authenticated requests to the Jean Memory API on the user’s behalf.

Live Demo

Want to see the OAuth 2.1 PKCE flow in action?

View Live Demo Repository

A complete React application demonstrating the 5-line integration, session persistence, and real-time chat.