CyberMem is designed with a "Local-First" philosophy. Your AI's memory belongs to you, and only you.
All memory vectors and entity graphs are stored in a local SQLite database on your filesystem. No data is ever sent to CyberMem or any third-party cloud.
The core binary contains zero usage tracking or analytics. The only network requests made are those you explicitly configure (e.g., to your LLM provider).
We support standard filesystem encryption. On RPi and VPS deployments, we recommend using LUKS or similar disk encryption for maximum security.
API keys for LLM providers (OpenAI, Anthropic, etc.) are stored in your local .env file or passed at runtime. They are never logged or exported.
| Environment | Auth Required | HTTPS | Notes |
|---|---|---|---|
| Local | No | No | Keyless access for localhost |
| RPi | Yes | Optional | Use --remote-access for Tailscale HTTPS |
| VPS | Yes | Yes | Auto-SSL via Caddy/Traefik |
CyberMem uses GitHub OAuth for secure, passwordless authentication.
βββββββββββββββ ββββββββββββββββββββ βββββββββββββββ
β MCP Client ββββββΆβ cybermem.dev ββββββΆβ GitHub β
β (Cursor) βββββββ /api/auth βββββββ OAuth β
βββββββββββββββ ββββββββββββββββββββ βββββββββββββββ
β
β JWT Token
βΌ
βββββββββββββββ ββββββββββββββββββββ
β Traefik ββββββΆβ auth-sidecar β
β (Gateway) βββββββ (ForwardAuth) β
βββββββββββββββ ββββββββββββββββββββ
β
βΌ
βββββββββββββββ
β OpenMemory β
βββββββββββββββ
CLI Commands:
npx @cybermem/mcp --login # Open browser for GitHub OAuth
npx @cybermem/mcp --status # Check auth status
npx @cybermem/mcp --logout # Clear stored tokenToken storage: ~/.cybermem/token.json
Warning
API keys are deprecated as of v0.7.0 and will be removed in v0.8.0.
Run npx @cybermem/mcp --login to switch to OAuth.
- Local mode: No API key required. Traefik accepts all localhost connections.
- Remote mode: API key or JWT validated by auth-sidecar before forwarding.
No. CyberMem is a self-hosted infrastructure component. We have no access to your data, so training on it is physically impossible.
Even when deployed to a cloud VPS (AWS, DigitalOcean), you control the instance. We provide the Docker image; you run it. We do not offer a managed SaaS version.
npx @cybermem/mcp --logout
npx @cybermem/mcp --login# Generate new key
NEW_KEY=$(openssl rand -hex 32)
# Update your .env
echo "OM_API_KEY=sk-$NEW_KEY" >> ~/.cybermem/.env
# Restart services
cd ~/.cybermem && docker-compose restartIf you discover a security vulnerability, please do NOT open a public issue. Contact the maintainer directly via GitHub Security Advisories.