Where to hide an API key

I’m working on a project using Firebase (specifically using the new Firestore beta for my database) and want to use Algolia to enhance search. My database contains ingredients with associated substitutions. I want to be able to handle typos when users are searching for an ingredient (i.e. “olve oil” -> “olive oil”).

My current plan is:
-when the page loads build an array of all the ingredient names from my Firestore db (‘allIngredients’)
-use ‘allIngredients’ to create an index in Algolia
-when the user enters a search term, run it through Algolia to correct typos, etc.
-capture the corrected search term and use it to locate the appropriate record in my Firestore db

I understand that I am not supposed to expose my Admin API key to the front-end (i.e. don’t put it in my app.js file). However I need to write/update my Algolia index based on what’s in my Firestore db. Can someone advise me on how I should go about doing this?

(also, I understand that this is a pretty general javascript/programming question, not necessarily one specific to Algolia, however since this is the specific use-case I have in mind I figured someone where might be willing to help :slightly_smiling_face: )

Hi @alexhollender ,

The best way is to keep your API key in the backend. It goes the same way when using Firebase. If your users need to update your data, then you should update firebase and then your backend script should catch those updates and push them Algolia.

This article describes the backend part.

@Bobylito thank you! So I basically need to run a script behind the scenes, either locally or on a server like Heroku. I think I can just do this locally for now. Out of curiosity, how do you keep the script running all the time if you’re using something like Heroku? I’m only familiar with the model where a script runs as the result of someone accessing it via their browser.