Issue one key per consumer: one for Claude Code, one for Cursor, one for Hermes-agent, one for a CI script, etc. The Name field below shows up in the table so you can see which integration is using each key — and revoke a single one if it leaks, without burning the others.

The dashboard mints itself an "onboard-issued" key automatically so you can log in. Beyond that, generate as many as you need — there's no per-key quota; quota is applied at the user level.

Uses the WebAuthn API your browser already supports — TouchID, Windows Hello, a hardware key, or your password manager. The private key never leaves your device. Server only stores the public key + a credential ID.

Each device or password manager can hold multiple. Browsers usually sync across your account (iCloud Keychain, Google PM, 1Password, …).

Reads ~/.mazemaker/embedding.toml from your local pod. Loopback fetch — only works when the dashboard is open on the same machine the pod runs on.

Pick one. Free-tier users are restricted to fastembed server-side (the wonderland write succeeds locally but the engine ignores non-allowed providers). Lite/Pro can use any.

• fastembed — CPU ONNX, default. 1024-dim BAAI/bge-small-en-v1.5. Always works.
• sentence-transformers — load PyTorch + the model on first encode (~150MB). Picks device automatically; override here. CUDA needs nvidia-container-toolkit on the host.
• jina v5 / openai / voyage / together — your key, your bill. We never see the key (it's stored locally in embedding.toml and the embedding-worker uses it directly). Cloud embedding latency ~100-300ms but quality is highest.

Opens the Stripe customer portal to update payment method, view invoices, or cancel.

Wonderland is the part of mazemaker that sits between your AI tool (Claude Code, Cursor, Hermes-agent, …) and the memory store. Your tool talks plain MCP over loopback (http://127.0.0.1:8765/sse); Wonderland transparently encrypts every memory before it lands in the store, and decrypts only on recall — using a vault key derived from your license at boot, never written to disk.

It runs entirely on your machine as part of the mazemaker pod. Nothing about your memory content ever crosses a network boundary in the clear. Even if someone gets a copy of your local memory database — especially if someone does — the rows look like noise without the in-RAM vault key.

• AES-256-GCM symmetric encryption per memory field
• Vault key derived (HKDF-SHA256) from your license JWT & device fingerprint at boot
• Idempotent: is_encrypted() sniff prevents double-encrypt loops
• Zero key material ever stored on disk or sent off-machine

AI agent memory is uniquely sensitive — it accumulates everything your agent has seen, including snippets of code you might never publish, conversations, credentials your agent passed through, partial drafts, customer data. A traditional vector DB stores it all in clear text in some file on disk.

Wonderland's job is to make the on-disk representation worthless without an authenticated, license-bound boot. You can copy ~/.mazemaker/data/ to a USB stick — without the live vault key (which only exists in the pod's RAM while a valid license is active), it's just opaque ciphertext.

You don't, directly — Wonderland is part of the pod the install.sh script sets up. Your AI tools connect to the local MCP endpoint and Wonderland sits invisibly in the request path. The wire.sh helper auto-registers the endpoint with every supported tool.

{
  "mcpServers": {
    "mazemaker": {
      "url": "http://127.0.0.1:8765/sse",
      "type": "sse"
    }
  }
}

Want the full integration spec? See api.mazemaker.dev/integration.md — agent-readable, so your LLM can self-configure from it.

// pick a tool above, edit args, hit COPY AS CURL or TRY ON LOCAL POD

Browse, view and delete individual memories by ID. This panel queries your local pod (loopback to http://127.0.0.1:8765) which means: it only works when this dashboard is open on the same machine the pod runs on, AND your pod exposes the dev /memory endpoints (default in mazemaker-pod ≥ today's build). If the panel says "no connection", use the COPY AS CURL flow above instead.