memnode
Sign InSign Up

Remote MCP setup

Hosted memnode exposes a remote MCP endpoint at https://api.memnode.dev/mcp (streamable HTTP) secured by OAuth with dynamic client registration. This page is the full path from zero to a working memory tool call for Claude Code, Claude.ai connectors, and any other MCP client.

Before you connect

  1. You need a memnode account — sign up free. The OAuth flow signs you in through the browser, so the MCP client never sees your password.
  2. Your hosted tenant (the isolated memory store the tools write to) is provisioned automatically on your first dashboard visit. If you skip the dashboard, the authorization page offers to create it inline.

Claude Code

claude mcp add --transport http memnode https://api.memnode.dev/mcp

Then run /mcp inside Claude Code and pick memnode to authenticate. A browser window opens, you sign in, approve the connector for your tenant, and the tools (record_memory, recall_memory, memory_lineage, query_memory, memory_health, forget_memory) appear.

Claude.ai and Claude Desktop

Settings → Connectors → Add custom connector, then paste https://api.memnode.dev/mcp as the remote MCP server URL. Claude discovers the OAuth configuration automatically and walks you through the same browser sign-in and tenant approval.

Any other MCP client — the full OAuth flow

  1. Discovery. An unauthenticated request to the endpoint returns 401 with a WWW-Authenticate challenge. Resource metadata: https://api.memnode.dev/.well-known/oauth-protected-resource/mcp. Authorization-server metadata: https://memnode.dev/.well-known/oauth-authorization-server.
  2. Dynamic client registration (RFC 7591) at the advertised registration_endpoint with your client_name and redirect_uris.
  3. Authorization at https://memnode.dev/oauth/authorize with PKCE — code_challenge_method=S256 is required. The user signs in, selects (or creates) a tenant, and approves the requested scopes (memory.read, memory.write).
  4. Token exchange at the token_endpoint with the authorization code and your original code_verifier. Codes are single-use and expire after 10 minutes.
  5. Call the endpoint. POST JSON-RPC to https://api.memnode.dev/mcp with Authorization: Bearer <access_token>. Access tokens expire after about an hour; use the refresh token to renew.
curl -sS https://api.memnode.dev/mcp \
  -H "Authorization: Bearer $OAUTH_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

Troubleshooting

401 unauthorized from https://api.memnode.dev/mcp

The access token is missing, expired, or lacks memory.read/memory.write scopes. OAuth access tokens expire after about an hour; your client should use the refresh token automatically. The 401 carries a WWW-Authenticate challenge pointing at the protected-resource metadata so spec-compliant clients re-run discovery on their own.

"PKCE verification failed" at the token endpoint

memnode requires code_challenge_method=S256. The code_challenge must be the unpadded base64url encoding of SHA-256(code_verifier) — plain base64 (with + / =) or method=plain are rejected. Authorization codes also expire after 10 minutes and are single-use.

"No active Memnode tenant" during authorization

Your account has no provisioned memory store. Click "Create hosted tenant and continue" on that page, or visit the dashboard — new accounts get a tenant provisioned automatically on first dashboard visit.

"Redirect URI is not allowed"

The redirect_uri in the authorization request must exactly match one registered for the client (including port). Re-register the client if your local callback port changed.

Prefer plain HTTP or local?

If your agent is a backend service rather than an interactive MCP client, skip OAuth entirely: mint a dashboard API token and call the hosted HTTP API directly. For repo-local, fully private memory, use the local MCP install.