Is it right way to genarete secured API Key every time when search query is executed from client?

We started to use Algolia to implement search feature in our Multi-tenant SaaS.
And now we are worried about proper way to use secured API Key…

Can you advise us whether this way is proper or not…

  • When client side execute search API, backend server publish new secured API Key with very short expired ex. 60seconds, and front client use it.

We are thinking to use secured API Key just line one-time token in case key is revealed by malicious user…(As far as secured API key is used in client side, that key is shown.)

Is this way within Algolia’s expectation ??
Or in such case, should we execute search query from server side ??

2 Likes

Hi @go.akazawa, this should work and in theory shouldn’t cause any issue (performance or otherwise) since secured api keys are ephemeral and can be generated virtually in infinite numbers.

That being said, it seems a little overkill since such short-lived keys might lead to degraded user experience without raising so much the security level (as long as you have the proper ACL on the parent key): if the end user stays on the page for more than 60 seconds, then they can’t search anymore and will get a “broken” experience.
What we typically see is keys being generated with at least 1 hour before expiration, or sometimes they are generated once per end-user, or once per day/week/month.

As a reference, many Algolia customers use one unique (search-only) key in their public frontend and it works just fine. There is a minor risk of having the index crawled through the Search API but this can be mitigated with things like API key rate limiting and paginationLimitedTo.

3 Likes