Is all the info in Secured APIKey necessary?

I created a secured API Key using the information you provide on this page:

This is the code we use to get the public key:

    string public_key = client.GenerateSecuredApiKey(
            apikey,
            new Query()
                .SetRestrictIndices(restrictIndices)
            );

Where apikey is the secret api key and restrictIndices is the index that is being queried.

This secured public_key that is returned is a 64 bit encoded string that is made up of an API key and then the values of the restrictIndices.

Our security folks ask me to find out if:

  1. In the secured public_key we see the restricted indices. Are the indices supposed to be listed within?
  2. Is it possible to remove the restrictIndices from this? Can this be done programmatically using Algolia’s library? Or programmatically by us?

Thanks
Eric

hi @ecoffman :wave:

It is indeed expected that the indices be listed in the secured key. That should not create a security issue because in any case the queried index will appear in clear in the client code and in the request when performing search queries.

It is not possible to use secured API keys without the restrictions being embedded in them.

If it really is an issue the API gives you the ability to programmatically create persisted API keys with restrictions, however they are more cumbersome to work with and should typically not be necessary if you use secured API keys.

Might I ask why you are concerned about the indices appearing in the secured key?

Alexandre