Multi-tenant Algolia index

Hi,

I would like to offer full-text search to my users through their data - and make sure that they can only access the data they own. Are there any patterns allowing to do that on Algolia ? None of the solutions I’ve considered seem a good fit, so i was wondering if I had overlooked some other options.

We could host each user’s data in a separate Algolia app, so that each API key would give access to only the relevant data, but that would quickly become unaffordable, as many would hit the 10000 records limit.

We could host each user’s data in a separate index and use team index restrictions, but there does not seem to be an API to manage those, and that would anyway require an Algolia account for each customer, which seems like a misuse of the service (we could e.g. generate email addresses at our domain name).

Finally we could filter queries with some userId to retrieve only the relevant data, but that wouldn’t be secure, as someone could use the apikey to query algolia without the filter. We could proxy algolia calls to inject the filter and the api key - but the perf penalty would probably be high.

Any other suggestions ? Thanks!

1 Like

Hi @paul,

The best approach for your use case is to use what we call generated API keys. Here is the documentation for the JavaScript client: https://www.algolia.com/doc/api-client/javascript/api-keys/#generate-key

The usage is fairly simple, you generate an API key on the fly based on your search API key + some additional query params.

The resulting API key can be used like a standard search API key, with the difference that it can be scoped on a given set of parameters.

Note that the generation of such a scoped API key does not require an actual call to the API.

Also be sure to generate those scoped API keys in the backend as in that case you don’t want to expose the search API key you use for their generation.

I hope this makes sense, let us know how it goes,

Cheers,

1 Like

Hi @rayrutjes,

Thanks! That’s exactly what I was hoping! Sorry I didn’t notice that in the docs

1 Like

No problem @paul, this is exactly why we have this forum,

Let us know if there is anything else we can help you with,

1 Like