Is generated secure api keys always search only?

Hey there!

Just a sanity check: Is api keys generated by ‘generateSecuredApiKey’ always ‘search only’ - meaning it can securely be consumed by the frontend, even if the api key used to generate it also had write access?

It is my understanding this is the case, but couldn’t seem to find this explained explicitly anywhere so wanted to be absolutely sure.

My confusion mainly arises because the docs here state to use “YourSearchOnlyApiKey”: https://www.algolia.com/doc/api-reference/api-methods/generate-secured-api-key/

Thanks in advance.

Hi Rasmus,

Your assumption is correct.

To generate a secured API key you need to use a search-only API key. And to generate it from your back-end.
Then the key is secured and you can use it from your front end.

In addition to the documentation you linked, there is this one that can help you: https://www.algolia.com/doc/guides/security/api-keys/how-to/user-restricted-access-to-data/#generating-a-secured-api-key

Let me know if this is still not clear.

Hi Sophie

Thanks for the rapid reply!

Does that mean however that if I use ie. an Admin api key to generateSecureApiKey(), then the generated key will also have write access thus be insecure to consume by frontend?

The use case is that I have a Laravel backend that also syncs models to Algolia. If possible I’d like to only have 1 api key to both perform sync / index operations AND generate a secure key for the frontend.
Otherwise I’ll have to store both an Admin key plus a Search-only key only to generate new keys for the frontend.

Hope this clarifies my question

EDIT: Just for a clarification I’m not actually using the “Admin” key, but a custom key restricted to an environment (ie prefix: local_*). This custom key has access to the full ACL spectrum such as “addObject”, “deleteIndex” etc.
So my question is whether or not a generated secure key also could delete indices. With my own attempts I’ve not been able to misuse the generated key to drop indices, so my assumption was it was only for searching.

Thanks for clarifying the context!

You can generate a secured key using a write one. But it will behave like a search api key.
So to answer your question: If you want to use the generated key to delete Objects, you’ll get an error (“AlgoliaSearchError: Invalid Application-ID or API key”) and won’t be able to proceed.

Hope it answer better your question.

That sounds perfect. Then it behaves exactly as I hoped and expected.

Thanks Sophie!


To summarize:

The “generateSecuredApiKey” method always outputs “search only” keys.

One can safely use a backend “write key” to generate a secure key consumed by the frontend.


Ps: It would be great if the docs somehow clarified this for future reference. Currently it could read like you must always use a “search-only” key to “generateSecuredApiKey” which seems inaccurate. :slight_smile: