userToken in secured API key not working

Hello, I am have some problem
I am implementing the generateSecuredApiKey method and using the paramuserToken (the value is the userID of the user who has logged in to my app) as shown here:https://www.algolia.com/doc/api-reference/api-methods/generate-secured-api-key/?language=javascript#method-param-usertoken

However, I don’t know if this will be the setting for the userToken check when I use this secured-key. Because after being secured-key and calling directly to this API of Algolia
curl -X POST -H "X-Algolia-API-Key: $ {secured-key}" -H "X-Algolia-Application-Id: $ {APPLICATION_ID}" --data-binary '{"params": "query = george% 20clo & hitsPerPage = 2 & getRankingInfo = 1"}' "https: // $ {APPLICATION_ID} -dsn.algolia.net/1/indexes/imdb/query" I have obtained data information without having to login to my app.

Where did I go wrong, please point out to me. Thankyou!

Please point out to me. Thankyou!

Hi @le.vu.thi.quynh.trin,

From your description it sounds like you are successfully using generateSecuredApiKey , including the userToken param.

However, you are surprised that the user can still query Algolia with the secured API key even if they are not logged in because they already have a valid API key created. Is that correct?

Please consider also using the validUntil param to coincide with the expiration of your user session, to limit access.

In addition, you can more frequently refresh the “parent” API key used to generate the secured API keys so that user’s also cannot locally save existing API keys. See if createApiKey can assist you with this goal to further limit access.

We hope this helps

There are several users are facing such similar issues regarding user token issues that should be solved by them only. If they need more advice can check from how to remove a hacker from my phone which also helps me to sort out easily.