Does using a secured API key with restrictIndices restrict that index to the Search-Only API key?


I’m working on implementing fine-grained access control on my Algolia indices. Specifically, I want to restrict access to a certain index so that only authenticated (logged in) users have the ability to search within it. The authentication is handled by a custom API, which validates JWT tokens. Upon successful validation, I’m planning to generate a secured API key (which restricts access to the particular index) and return it to the frontend.

Currently, I’m making extensive use of the Search-Only API key in the frontend of my application, which I understand provides search access to all my indices. However, my question revolves around the behavior of this Search-Only API key in the presence of a secured API key.

Suppose I secure an index using a secured API key. If a tech-savvy user has access to the Search-Only API key (which is, of course, publicly exposed on the frontend), would they be able to use this key to access the index secured by the secured API key? Or does creating a secured API key for an index effectively render that index non-searchable for non-secured API keys, such as the Search-Only API key?

Thank you in advance for your help.

In the scenario you described, if you secure an index with a secured API key, a tech-savvy user who has access to the Search-Only API key (which is publicly exposed on the frontend) would not be able to use that key to access the index secured by the secured API key. The secured API key only grants access to the specified index, and other indices remain inaccessible with that key.

@natasham6900 call to secureKey and keep it in the instantsearch on the client (with preventing empty search) will cost money? will be a new search request/operation ? billing wise

@natasham6900 Is not correct, the search-only api key has search access to all indices in the Application.

If you’re utilizing the secure api keys flow you would not want this key to be leaked - despite the fact that Algolia describes it as being public.

Having some insight from Algolia staff on this would be helpful - from my perspective labelling this as a Public key is dangerous for workflows like you’ve suggested

This situation could arise due to misconfigured search settings, such as incorrect indexing or ranking rules. It might also be related to the synchronization process between your Discourse forum and Algolia, where data updates are not being pushed correctly. To address this issue, you’d need to thoroughly review your indexing configuration, ensure that your forum data is correctly synchronized with Algolia, and fine-tune your ranking and filtering settings to ensure accurate search results for your discourse.algolia users.