Questions about indices listed within Secured API Key

Regarding my previous question here:

I have another question:

When decoding the base64 encoded secured api key, we are wondering if the index listed in the payload for informational purposes? Or, is that a variable that controls access to the indices.

So, for example, could I decode that string on my client, change the index list, re-encode it and then have access to the list of indices I added? Or, is access to indices controlled exclusively on the server side?


Secured API key are basically API keys with a set of constrains embedded inside. Those keys can only be used with this constrains they were created with (access to a specific index, filters on specific filters, etc) and those cannot be changed after they are created. That’s why it’s safe to expose them on your front-end. It is not possible to edit them without breaking their integrity.

To answer your specific question, the index name saved inside the secured API key is used to restrict access to this specific index. We do this check on our side (on the API servers), by checking that the key you sent has been correctly crafted by your admin key, and that the query made matches with the constraints embedded in the key.

If you were to decode the key, change the index and re-encode it, your key will be rejected by our servers because you “broke” its integrity.

Hope that helps. Let me know if you have other questions regarding those keys