B2B Multi tenant app

Hello,

I’m building an B2B Multi Tenancy app and want to use algolia for the search. I learned that i can use secred API keys to handle the different tenants. Is it enough to generate one secret key per tenant and safe this in an table or does this secret API key needs to be generated for each request?
Are there any other ways to implement multitenancy?

Best,

Hi Arthur,

That’s a good question. I guess it really depends on your threat model.
I assume that when you are talking about secret API keys, you actually are talking about secured API Keys.

If that’s the case, I guess the questions you should ask yourself is:

  • What would be the issue if one of my tenants leaked their secured API Key? How problematic would it be for them? For your service? Maybe it is fine if the API Keys live forever, maybe it’s better if they have a short TTL.
  • Do they need to know their Algolia API Key? If they do, how practical would it be to have one dedicated API Key that they can save on their end compared to ephemeral keys?
  • Are there other features that you would like to leverage from secured API Keys, such as rate limits, etc?

There are many different ways to answer these questions and their answers will change your requirements for the secured API Keys, but yes, secured API Keys would be a good way to handle multi-tenancy.

Let me know if that answered your question.
Best,

Hi Jonathan,

yes right, I mean the secured API Keys. Regarding the questions:
What would be the issue if one of my tenants leaked their secured API Key? How problematic would it be for them? For your service? Maybe it is fine if the API Keys live forever, maybe it’s better if they have a short TTL.
Yes, would be a big Issue.

Do they need to know their Algolia API Key? If they do, how practical would it be to have one dedicated API Key that they can save on their end compared to ephemeral keys?
No, they just use the search like in an B2C app, they should just see only their content :slight_smile:

Are there other features that you would like to leverage from secured API Keys, such as rate limits, etc?
At the moment not, but in future this could be relevant.

So my approach at the moment is to generate a secured API key and set a filter for the tenantId.

Thanks and Best,

Another interesting question would be, is it better to have one Index per Customer or is it better to have one Index for all?

Just to clarify:

No, they just use the search like in an B2C app, they should just see only their content :slight_smile:

Do you mean that this will be a back-end search implementation or will they have a algolia managed search bar on your service / website that they can use to search?

In the first case, you have full control over the implementation of the secured API keys and can change it pretty much at any time pretty transparently, whereas in the second, more care should be taken now to identify the exact needs and how they can change to define the best approach.

Another interesting question would be, is it better to have one Index per Customer or is it better to have one Index for all?

This is also dependent on your use case. Do you expect your customers to know about content from one-another? If so, a single index with filters can be a better design for your solution, but if you don’t expect them to know about each other, we generally find it much safer and easier to implement to have separate indices for each of your customers.

Do you mean that this will be a back-end search implementation or will they have a algolia managed search bar on your service / website that they can use to search?

The first approach would be to use the InstantSearch library.

This is also dependent on your use case. Do you expect your customers to know about content from one-another? If so, a single index with filters can be a better design for your solution, but if you don’t expect them to know about each other, we generally find it much safer and easier to implement to have separate indices for each of your customers.

No, the customer should not know about the content of the others.

Would it make sense then to create separate indices for each customer and secure them additionally with a secured API Key + Filter?

Thank you for the fast response Jonathan.

Best,

Based on your description, the secured API Key would be visible to the end-user. In this situation, I would indeed advise you to have somewhat short-lived secured api keys (e.g. TTL 1 day) and index restriction directly baked into the secured api key using the field restrictIndices.

more documentation here: https://www.algolia.com/doc/api-reference/api-methods/generate-secured-api-key/#method-param-restrictindices

Perfekt, Thank you very much :slight_smile:

Just for the future and curiosity, what would be your suggestion for a back-end search implementation without using the InstantSearch library?