Restrict API access to records that are associated with respective user

Hi there,
I’m having a question about the possibilities of Secured API Keys and the recommended data structures.

My data structure allows to have offices and users. Each user can be associated to zero, one or multiple offices. I only want to search for users, not for offices.
My idea is to structure this as follows - please replace officexId with a unique randomly generated number for each office:

{
  "name": "Michael",
  "offices": [
    "office1Id",
    "office2Id"
  ]
},
{
  "name": "Hans",
  "offices": [
   "office2Id"
  ]
},
{
  "name": "Marcus",
  "offices": []
}

For those entries, I’d like Michael only to be able to be queried by office1 and office2;
Hans respectively only by office2 and Marcus by none as no office is associated.

Is the above structure recommended for my use case? Is there a better option?

Could I generate a Secured API key for e.g. office1 as the following to ensure the above mentioned restrictive security?

const publicKey = client.generateSecuredApiKey(
  'YourSearchOnlyApiKey',
  {
    userToken: 'office1Id',
    filters: 'offices:office1Id'
  }
);

Hi,

Indeed, leveraging filters as you did while generating the Secured API Key will restrict search results to the subset specified with the filter :slight_smile:

Related doc links:

Best,

1 Like