Secure API Key with restrictions responds with 400 bad request


Trying to generate a secure API key with restrictSearchableAttributes based on the documentation here:

Issue when adding restrictSearchableAttributes to the secure key, I am getting a 400 Bad Request.


  • "algoliasearch": "^4.14.2"
  • "typescript": "^4.7.4"
  • node --versionv16.15.0
async function main(): Promise<void> {
  const appId = "MY-APP-ID";
  const searchKey = "MY-SEARCH-API-KEY";
  const client = algoliasearch(appId, searchKey);
  const secureKey = client.generateSecuredApiKey(searchKey, {
    filters: 'type:user OR type:group',
    restrictSearchableAttributes: ['name']
  console.log('secure.key:', secureKey);

  .then(() => console.log('main.complete'))
  .catch((err) => { console.error('main.error:', err); })

The secureKey works when just using filters: 'type:user OR type:group'

Once restrictSearchableAttributes: ['name'] is added, the response is 400 Bad Request.

  • Note, key length is 201 characters


Worked through this with my team. The issue is that you can’t restrict a search attribute if it is part of a comma-separated list.

  • once the attribute was not part of a comma-separated list, the restriction worked

Based on the following reference…

You can’t use this setting on an attribute that’s part of a comma-separated list of attributes within searchableAttributes. For example, if your searchableAttributes parameter contains ['title, category', 'content'] , title and category are part of one comma-separated element and have the same priority, while content has its own priority level. You can set restrictSearchableAttributes to ['content'] , but you can’t set restrictSearchableAttributes to ['title'] , ['category'] , ['title, category'] or ['title', 'category']