Hi, I am working on project for a client that has multiple user groups. These users groups should only be able to access certain data when searching.
I have been able to setup the different search keys on my backend by following these instructions: User-Restricted Access to Data | How to | Security | Guide | Algolia Documentation
Something that I found interesting, is that the secure API keys that I create don’t show up in the API Keys section of the Dashboard. I assume that is intentional, and leads into my question of how I delete an API key. What a user can search for can change (e.g. admin being upgraded to super admin), so In order to give them these new privileges I create a new search key for them (I save each users search key to their user record in the database for retrieval when they log in). However, I can’t seem to delete the old key.
I have been trying to use deleteAPIKey to revoke the users key. This succeeds with status code 200, however it doesn’t seem to actually disable to key. I am still able to search with it. I then saw in the guide that if I want to disable a restricted key, I need to delete the parent key that made it.
In my case, I am using the generic search key that get auto created when you setup an Algolia account. If I was to delete this, then all my restricted API keys would stop working. Does this mean that to have the level of control that I need, I would have to first generate a normal API key, to then generate a restricted API key, just so that when I want to delete my restricted key I delete the normal API key that made the restricted one (hope that makes sense).
I hope that is not the case, as that seems like a really round about way of doing it.
Thanks in Advance