I read the tutorials on Api keys and it says to not ship the Search API key hardcoded in the app because it can be easily stolen. What about fetching the Api key from Firebase database without any login. This way the key can be revoked anytime but what about security. Anybody can fetch my key this way. How do you store it ?
Admin API keys are very sensitive and should never be shared because they allow users to manage everything regarding indices. On the other hand, Search-only API keys are safe to use because they only allow read operations and can be restricted to one or more indices.
You can safely embed Search-only API keys in your mobile app
Here is the documentation about API keys: https://www.algolia.com/doc/guides/security/api-keys/
Don’t hesitate to contact us if you have any other questions!
In documentation says “API keys should not be hardcoded in the shipped mobile applications; they should always be dynamically fetched from the application backend”. But this is true only if there is an application backend!
What about the cases that there is a single application without any backend ? A Firestore implementation with anonymous login is a preferable way of getting the Secure API key securely ?