API Key Security with Frontend Search


I’m using algolia to facilitate text search across data that is stored in firebase. I’m not a security expert, but firebase stresses the fact that front end api keys are vulnerable and authentication based access controls should be in place for the data they are used to search.

Some of the data I’m using algolia to search is sensitive and should not be accessible to anyone except the authenticated user that it belongs to, but I’d like to use frontend search in my application for improved speed. What is the best practice for ensuring that this data and the api key is not exposed? I’ve read about dynamically fetching the algolia keys before performing the search and not hardcoding them, but is this enough?


Ephemeral Secure API keys are definitely the right approach here. Best practice here is to make sure each key is generated with a minimal TTL and permissions.

And here’s the larger pattern:

Basically, when a user logs in, you assign them an ephemeral token with hardcoded filters based on attributes you’ve added to the individual records. As they search, it will always be in the context of these filters, restricting which records they can see.