Is there any way to hide the objectID from the answer?

It’s hard to explain my use case, but I want only the user that knows the objectID (secret) be able to update/delete etc. I tried listing it in unretrievable attributes but it still comes back

While this makes sense, relying on an objectID for security is not how the API has been designed at all.
It will always come back on any query because that’s our way of identifying them.

I’m now guessing that you’re not using a generated one but one coming from your services.

Something that you could do though is to implement a method which would do this in two steps.

  • Index your id in an id attribute, and generate a new random id for the objectID
  • Set id as an attributesForFaceting as filterOnly(id) (this will prevent the ids to be be listable using facet values)
  • Set it as an unretrievableAttribute
  • update / delete operations should be handled in your back-end
  • Whenever a user wants to update / delete, first call'', { filters: 'id:"' + id + '"' })
  • Then get the objectID of the first result if it exists
  • Then run the operation on this objectID

I’m not guaranteeing that this would be a secure set-up, but it sounds like it would pretty much match what you’re trying to do.