Deleting Secured API Keys

Hi, I am working on project for a client that has multiple user groups. These users groups should only be able to access certain data when searching.

I have been able to setup the different search keys on my backend by following these instructions: User-Restricted Access to Data | How to | Security | Guide | Algolia Documentation

Something that I found interesting, is that the secure API keys that I create don’t show up in the API Keys section of the Dashboard. I assume that is intentional, and leads into my question of how I delete an API key. What a user can search for can change (e.g. admin being upgraded to super admin), so In order to give them these new privileges I create a new search key for them (I save each users search key to their user record in the database for retrieval when they log in). However, I can’t seem to delete the old key.

I have been trying to use deleteAPIKey to revoke the users key. This succeeds with status code 200, however it doesn’t seem to actually disable to key. I am still able to search with it. I then saw in the guide that if I want to disable a restricted key, I need to delete the parent key that made it.

In my case, I am using the generic search key that get auto created when you setup an Algolia account. If I was to delete this, then all my restricted API keys would stop working. Does this mean that to have the level of control that I need, I would have to first generate a normal API key, to then generate a restricted API key, just so that when I want to delete my restricted key I delete the normal API key that made the restricted one (hope that makes sense).

I hope that is not the case, as that seems like a really round about way of doing it.

Thanks in Advance :slight_smile:

Hi @development6,

Yes, it is expected that secured API Keys do not show up in your Algolia dashboard as these are virtual keys, they aren’t stored on our side.

Does this mean that to have the level of control that I need, I would have to first generate a normal API key, to then generate a restricted API key, just so that when I want to delete my restricted key I delete the normal API key that made the restricted one (hope that makes sense).

Yes, this is one solution. We actually do not recommend creating your secured API keys directly from your Admin API Key as it makes it harder to manage and rotate these keys.
Another recommended solution is to set an expiry date to your secured API keys, and regenerate these secured API key on the fly on a regular basis or using the getSecuredApiKeyRemainingValidity method.

I hope this clarifies how secured API Keys work, let us know if you have any concern!