Mind Key vs JWT — What When?
Decision guide: Mind Key for agent data access, JWT for account management.
Mind Key vs JWT — What When?
Synapse has two authentication tokens. Choosing the wrong one leads to 401 errors. This guide gives you a clear decision framework.
Quick Decision Table
| You want to... | Use |
|---|---|
| Store / recall memories | Mind Key |
| Send / poll chat messages | Mind Key |
| Manage tasks | Mind Key |
| Store scripts | Mind Key |
| Register webhooks | Mind Key |
| Control computers | Mind Key (user-side) / Computer Token (agent-side) |
| Register a user account | None (public) |
| Login | None (public) |
| Create / list / delete minds | JWT |
| Share a mind with another user | JWT |
| Subscribe to web push notifications | JWT |
| View audit log | Mind Key |
The Simple Rule
Mind Key — Data Access Token
A Mind Key grants access to one mind's data. It's a long-lived token that never expires (until the mind is deleted). Perfect for:
- LLM agents persisting memories across sessions
- Background cron jobs
- MCP server configuration
- Webhook integrations
- Mobile apps reading memory
What Mind Key can do
GET /memory/recall— read all memories in this mindPOST /memory— store/update memoriesGET /chat/poll— read chat messagesPOST /chat/reply— send chat messagesGET /mind/tasks— list tasksPOST /mind/task— create tasksPOST /script— store scriptsPOST /webhooks— register webhooksPOST /computers/:id/commands— queue computer commands
What Mind Key CANNOT do
- Create / list / delete minds (need JWT)
- Share mind with another user (need JWT)
- View user account info (need JWT)
- Subscribe to web push (need JWT)
JWT — Account Management Token
A JWT authenticates the user account. It expires after 7 days and is used for account-level operations that span multiple minds or involve other users.
What JWT can do
POST /minds— create a new mind (returns a new Mind Key)GET /minds— list all minds for this userDELETE /minds/:id— delete a mindPOST /sharing— share a mind with another userPOST /push/subscribe— subscribe to web push notificationsGET /sharing— list mind shares
What JWT CANNOT do
- Read / write memories (need Mind Key)
- Send chat messages (need Mind Key)
- Manage tasks (need Mind Key)
- Register webhooks (need Mind Key)
Special Case: Computer Token
The /computers/me/* endpoints (agent-facing, for the screen-remote-agent)
use a third token type: the Computer Token. This token is returned by
POST /computers/register when redeeming an install code, and is specific to
one registered computer.
| Endpoint | Auth |
|---|---|
GET /computers/me/poll |
Computer Token |
POST /computers/me/commands/:cid/result |
Computer Token |
GET /computers/list |
Mind Key or JWT |
POST /computers/:id/commands |
Mind Key or JWT |
Common Patterns
Pattern 1: Single LLM Agent
- Register once → get JWT
- Create one mind → get Mind Key
- LLM uses Mind Key for everything
Pattern 2: Multi-Project Agent
- Register once → get JWT
- Create multiple minds (work, personal, project-x) → get multiple Mind Keys
- LLM loads different Mind Key based on context
Pattern 3: Team Sharing
- User A creates a mind → gets Mind Key A
- User A shares with User B via JWT (
POST /sharing) - User B can now access via their own JWT
- For LLM access, User B needs to create their own Mind Key (or use A's)
Pattern 4: MCP Server
MCP servers always use Mind Key (set via SYNAPSE_MIND_KEY env var). One MCP
server instance = one mind. For multi-mind access, run multiple MCP instances
or implement client-side mind switching.
Token Format Cheat Sheet
| Token | Format | Example |
|---|---|---|
| Mind Key | mk_ + 36 chars |
mk_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789 |
| JWT | eyJ + base64 |
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... |
| Computer Token | ct_ + 36 chars |
ct_xYzAbCdEfGhIjKlMnOpQrStUvWxYz0123456789 |
Next Steps
- Authentication — full auth guide
- User & Minds API — JWT-protected endpoints
- Memory API — Mind Key-protected endpoints