This guide helps you run Postbrain for the first time.
For a fresh installation, use the built-in onboarding command. It runs migrations, creates (or reuses) a bootstrap principal with system-wide admin privileges, creates an initial scope, and prints a new API token.
postbrain onboard \
--config ./config.yaml \
--slug admin \
--display-name "Postbrain Admin" \
--token-name "bootstrap-admin"Store the printed token immediately, then export:
export POSTBRAIN_URL="http://localhost:7433"
export POSTBRAIN_TOKEN="<token-from-onboard>"Server installation options are documented in:
This includes:
- local process (source build)
- GitHub release binaries
- Docker image deployment
- Kubernetes Helm deployment
Install postbrain-cli from one of these paths:
- GitHub Releases:
- download
postbrain-client_<os>_<arch>archive - extract
postbrain-cliinto your PATH
- download
- Linux packages:
.deb:postbrain-client_<version>_linux_<arch>.deb.rpm:postbrain-client_<version>_linux_<arch>.rpm
- Package manifests:
- Homebrew:
packaging/homebrew/ - MacPorts:
packaging/macports/ - winget:
packaging/winget/
- Homebrew:
Quick one-liner installer (client binary, latest release):
./scripts/install-postbrain.sh client
./scripts/install-postbrain.sh client v1.2.3Verify:
postbrain-cli versionPostbrain APIs require bearer tokens.
Create/manage tokens with server CLI commands. Tokens are downscoped credentials: each token can only exercise permissions and scope access that the owning principal already has.
Note: token create requires both a token name and the owning principal slug.
postbrain token create --name "<name>" --principal "<principal-slug>"postbrain token listpostbrain token revoke
Then set client-side environment variables:
POSTBRAIN_URL(for examplehttp://localhost:7433)POSTBRAIN_TOKEN(issued bearer token)- optional
POSTBRAIN_SCOPEfor default scope selection- set this to a full
kind:external_idvalue (for exampleproject:acme/platform/postbrain)
- set this to a full
Permission model reference for token design:
- permission format:
{resource}:{operation}(for examplememories:read,knowledge:write) - shorthand permissions:
read,write,edit,delete(expanded across all resources) - scope restrictions: token
scope_idsrestrict access to selected scopes and descendants
See Access Control Reference for full details and troubleshooting guidance.
Use the CLI to install Postbrain skill files into your project.
Codex:
postbrain-cli install-codex-skill --target /path/to/projectClaude Code:
postbrain-cli install-claude-skill --target /path/to/projectIf --target is omitted, current directory (.) is treated as the project root.
Both commands accept a --url flag to set the Postbrain backend URL explicitly:
postbrain-cli install-claude-skill --target /path/to/project --url https://postbrain.example.com
postbrain-cli install-codex-skill --target /path/to/project --url https://postbrain.example.comThe backend URL is resolved in this order: --url flag → POSTBRAIN_URL env var → .claude/postbrain-base.md / .agents/postbrain-base.md → interactive prompt (default: http://localhost:7433).
Codex hook support is experimental and currently unavailable on Windows.
Enable hooks in ~/.codex/config.toml:
[features]
codex_hooks = trueThen add Postbrain commands to ~/.codex/hooks.json or <repo>/.codex/hooks.json:
{
"hooks": {
"PostToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "postbrain-cli snapshot --scope \"$POSTBRAIN_SCOPE\""
}
]
}
],
"Stop": [
{
"hooks": [
{
"type": "command",
"command": "postbrain-cli summarize-session --scope \"$POSTBRAIN_SCOPE\""
}
]
}
]
}
}Codex supports plugins in app and CLI (/plugins). Use plugins for shared reusable integrations and keep Postbrain
skill files installed in-project for repository-specific behavior.
If you want browser login and OAuth client integrations:
- configure
oauth.base_url - enable one or more providers under
oauth.providers - verify callback URLs in provider app settings
- review OAuth server settings under
oauth.server
See OAuth Logins and Configuration.
After startup:
- open
GET /.well-known/oauth-authorization-server(optional but useful) - run one
rememberwrite from your client/agent - run one
recallquery in the same scope
If both succeed, your base setup is working.
After bootstrap, create your first principal/scope hierarchy. Examples below use curl + jq.
company_id="$(
curl -sS -X POST "${POSTBRAIN_URL}/v1/principals" \
-H "Authorization: Bearer ${POSTBRAIN_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"kind":"company","slug":"acme","display_name":"ACME Inc"}' | jq -r '.ID'
)"
team_id="$(
curl -sS -X POST "${POSTBRAIN_URL}/v1/principals" \
-H "Authorization: Bearer ${POSTBRAIN_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"kind":"team","slug":"acme-platform","display_name":"Platform Team"}' | jq -r '.ID'
)"
user_id="$(
curl -sS -X POST "${POSTBRAIN_URL}/v1/principals" \
-H "Authorization: Bearer ${POSTBRAIN_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"kind":"user","slug":"alice","display_name":"Alice"}' | jq -r '.ID'
)"User belongs to team, team belongs to company:
curl -sS -X POST "${POSTBRAIN_URL}/v1/principals/${company_id}/members" \
-H "Authorization: Bearer ${POSTBRAIN_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"member_id\":\"${team_id}\",\"role\":\"member\"}"
curl -sS -X POST "${POSTBRAIN_URL}/v1/principals/${team_id}/members" \
-H "Authorization: Bearer ${POSTBRAIN_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"member_id\":\"${user_id}\",\"role\":\"member\"}"company_scope_id="$(
curl -sS -X POST "${POSTBRAIN_URL}/v1/scopes" \
-H "Authorization: Bearer ${POSTBRAIN_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"kind\":\"company\",\"external_id\":\"acme\",\"name\":\"ACME\",\"principal_id\":\"${company_id}\"}" | jq -r '.ID'
)"
team_scope_id="$(
curl -sS -X POST "${POSTBRAIN_URL}/v1/scopes" \
-H "Authorization: Bearer ${POSTBRAIN_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"kind\":\"team\",\"external_id\":\"acme/platform\",\"name\":\"Platform\",\"principal_id\":\"${team_id}\",\"parent_id\":\"${company_scope_id}\"}" | jq -r '.ID'
)"
project_scope_id="$(
curl -sS -X POST "${POSTBRAIN_URL}/v1/scopes" \
-H "Authorization: Bearer ${POSTBRAIN_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"kind\":\"project\",\"external_id\":\"acme/platform/postbrain\",\"name\":\"Postbrain\",\"principal_id\":\"${team_id}\",\"parent_id\":\"${team_scope_id}\"}" | jq -r '.ID'
)"
user_scope_id="$(
curl -sS -X POST "${POSTBRAIN_URL}/v1/scopes" \
-H "Authorization: Bearer ${POSTBRAIN_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"kind\":\"user\",\"external_id\":\"alice\",\"name\":\"Alice Personal\",\"principal_id\":\"${user_id}\",\"parent_id\":\"${team_scope_id}\"}" | jq -r '.ID'
)"Set default working scope for agent tooling:
export POSTBRAIN_SCOPE="project:acme/platform/postbrain"postbrain token create --name "postbrain-project" --principal "acme-platform"Use the returned token for CI/agents that should only work in this project context.
curl -sS -X POST "${POSTBRAIN_URL}/v1/scopes/${project_scope_id}/repo" \
-H "Authorization: Bearer ${POSTBRAIN_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"repo_url":"https://github.com/simplyblock/postbrain.git","default_branch":"main"}'Trigger initial indexing:
curl -sS -X POST "${POSTBRAIN_URL}/v1/scopes/${project_scope_id}/repo/sync" \
-H "Authorization: Bearer ${POSTBRAIN_TOKEN}" \
-H "Content-Type: application/json" \
-d '{}'Check indexing status:
curl -sS -H "Authorization: Bearer ${POSTBRAIN_TOKEN}" \
"${POSTBRAIN_URL}/v1/scopes/${project_scope_id}/repo/sync"postbrain-cli install-codex-skill --target /path/to/project --url https://postbrain.example.com
postbrain-cli install-claude-skill --target /path/to/project --url https://postbrain.example.com
postbrain-cli skill sync --scope "project:acme/platform/postbrain" --agent "claude-code"See Common Usage Workflows for practical patterns you can adopt immediately.