Algolia keys security best practices

Hello,

We’re trying to figure out the best practice for providing API keys and to avoid using personal api keys. We currently have over 8 pages of API keys for our org (which majority of those keys are definitely not being used since it looks like every user gets their personal API keys automatically even if they do not generate it).

We found this doc here (https://www.algolia.com/doc/guides/security/api-keys/) but is there a way to see which API keys have recent activity so we can have fewer API keys available within our org?

Hi,

Indeed personal keys are always created according to the user permission. Those keys are deleted when the user will be removed from the application.

You are correct it’s better to generate dedicated key. Unfortunately, we don’t log key usage so we don’t have any easy way to know what key is used. I’d recommend using the description of the key to specify what it’s used for. If you know what keys are used in production for sure and rotate keys for staging and dev environment.

Please let me know if that answers your question.