#community-help

Correct API Key Generation and Usage on Cloud

TLDR Tom faced 401 errors while creating keys via the Cloud API. Kishore Nallan clarified the correct syntax and mechanics, and identified a header mislabeling on Tom's part that caused the issue. They also discussed using scoped API keys.

12mo

Join the chat

Oct 12, 2022 (12 months ago)

Photo of md5-2fa64626788fd6e3a12f8cdf96ea88bd

Tom

12:22 PM

I'm getting a 401 when trying to create a key via API on Cloud. Is the "keys:create" the correct API Key permission?

Photo of md5-4e872368b2b2668460205b409e95c2ea

Kishore Nallan

12:23 PM

Yes that's correct. The key that you are using to create this key has key:create permission but it does not work?

Tom

12:24 PM

Oh no, I mean. I have a key already (with keys:create ) and I'm trying to make user scoped keys.

12:24

Tom

12:24 PM

Should it be key or keys ?

Kishore Nallan

12:25 PM

Sorry typo there, it must be keys

12:26

Kishore Nallan

12:26 PM

Just to be clear, user scoped keys are created client side: https://typesense.org/docs/0.23.1/api/api-keys.html#generate-scoped-search-key

Tom

12:26 PM

Gotcha. I have a (backend) key like this:

{
  "description": "API key",
  "actions": [
    "documents:import",
    "keys:create"
  ],
  "collections": [
    "*"
  ]
}

And I'd like to use CURL to make more keys like this for each user to use during their session:

{
  "description": "Search key per user",
  "actions": [ "documents:search" ],
  "collections": [
    // Some collections here
  ]
}

12:27

Tom

12:27 PM

I assume this is an accepted use case?

Kishore Nallan

12:35 PM

Yes, that's valid. I will have to check why it's not working. I will get back to you later today/tomorrow after checking.

Tom

12:35 PM

Roger that, no problem at all. Would it help if I provided cluster ?

Kishore Nallan

12:36 PM

I don't think it will be a cluster specific issue. Let me first see if I can reproduce and then will ask for further details if needed.

Oct 13, 2022 (12 months ago)

Tom

12:17 PM

Kishore Nallan did you happen to get a chance to look at this?

Kishore Nallan

12:58 PM

I just tried this on 0.23.1 and it works for me:

% curl '' \
    -X POST \
    -H "X-TYPESENSE-API-KEY: abcd" \
    -H 'Content-Type: application/json' \
    -d '{"description": "", "value": "foobar","actions": ["keys:create"], "collections": ["*"]}'
{"actions":["keys:create"],"collections":["*"],"description":"","expires_at":64723363199,"id":0,"value":"foobar"}%

% curl '' \
    -X POST \
    -H "X-TYPESENSE-API-KEY: foobar" \
    -H 'Content-Type: application/json' \
    -d '{"description": "", "value": "amazing","actions": ["documents:search"], "collections": ["*"]}'
{"actions":["documents:search"],"collections":["*"],"description":"","expires_at":64723363199,"id":1,"value":"amazing"}%

Tom

01:00 PM

Does the second call, use the API key generated in the first call?

Kishore Nallan

01:00 PM

Yes, see the use of foobar in the X-TYPESENSE-API-KEY header

Tom

01:01 PM

Wait, wild. So does "value": "foobar" mean the API key generated will be foobar rather than auto generated?

Kishore Nallan

01:03 PM

Yes, correct.

01:03

Kishore Nallan

01:03 PM

If you don't specify a value Typesense will auto generate.

Tom

01:17 PM

So I'm still getting a 401 on my side.

I've got a key like this:

{
  "description": "Admin key",
  "actions": [ "documents:import", "keys:create" ]
  "collections": [
    "*"
  ]
}

That I created via UI. I then took that API and tried to create more like this using HTTP. Heres the body:

{
   "description":"Search key for user ykDG6Un4oNUs1UBxKqS5ae9HC9D3",
   "actions":[
      "documents:search"
   ],
   "collections":[
      "exercises",
      "programs",
      "programs"
   ]
}

But I get a 401 response.

401 Unauthorized from POST https://xxxxxxx.a1.typesense.net/keys

Kishore Nallan

01:20 PM

Hmm, are you also using curl?

Tom

01:21 PM

I'm using Java HTTP client:

()
                .uri("https://xxxxxxx.a1.typesense.net/keys")
                .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                .header("TYPESENSE-API-KEY", "xxxxxx")
                .body(BodyInserters.fromValue(new TypeSenseGenerateKeyRequest(
                        "Search key for user %s".formatted(userId),
                        Collections.singletonList("documents:search"),
                        List.of(EXERCISES_COLLECTION_NAME,
                                PROGRAMS_COLLECTION_NAME,
                                HISTORY_COLLECTION_NAME))))
                .retrieve()
                .bodyToMono(TypeSenseGenerateKeyResponse.class)
                .block()

01:21

Tom

01:21 PM

I've also tried using a key like this to generate more and still get 401. So the original key I think is ok

{
  "description": "Admin key",
  "actions": [
    "*"
  ],
  "collections": [
    "*"
  ]
}

Kishore Nallan

01:22 PM

Can you quickly try using the curl example I have above to see if it makes a difference? That will tell us where the issue is.

01:23

Kishore Nallan

01:23 PM

Ah I think I got it:

> .header("TYPESENSE-API-KEY", "xxxxxx")
Should be X-TYPESENSE-API-KEY

Tom

01:24 PM

ohh worked straight away. Good eyes Kishore Nallan!

01:24

Tom

01:24 PM

Time to move that to a const. I clearly cannot be trusted to type it everywhere..

01:26

Tom

01:26 PM

Final question, for adding a filter_by to this key, what would that payload look like?

Kishore Nallan

01:27 PM

You mean baking a "filter_by" clause into that key? For that you need to use scoped api key. Official clients have a helper that hmacs the filter string and adds the digest as part of the key so that it cannot be tampered.

Tom

01:27 PM

Ah I see, so this is not something we can do over HTTP only?

Kishore Nallan

01:29 PM

I don't follow you. Is there something that you want to do that cannot be done via scoped API keys?

Tom

01:30 PM

I'd definitely like to use scoped keys, ideally created over HTTP.

Right now I can create keys for our users, but they are not scoped.

Typesense

Lightning-fast, open source search engine for everyone | Knowledge Base powered by Struct.AI

Indexed 2786 threads (79% resolved)

Join Our Community Manage subscription

Similar Threads

Resolving Issues with Scoped API Keys in Typesense with Golang

Suvarna had problems with generating and using scoped API keys in Typesense with Golang. Several bugs misleading the user were found and fixed by Kishore Nallan.

158

26mo

Issues with Generating Scope API Keys in Python

Danny had issues generating a valid scope API key in a Python GraphQL server. Jason suggested encoding changes and confirmed that the key length varies. Issue unresolved with Python, although JS library worked.

17mo

API Key Permissions for Typesense Docsearch Scraper

JP asked about configuring API key actions for reindexing a site using Typesense. Kishore Nallan clarified the required permission. Then, JP and Jason discussed specific permission configurations, and JP made a documentation update to illustrate their findings.

9mo

Scoping API Key for All Permissions & Searches

James requests help to scope an API key for all searches and permissions. Jason suggests adding aliases:get and metrics:get. This suggestion doesn't resolve the issue; the thread is marked as unresolved.

26mo

Issue with API Key Expiry and Generation in Node.js

Sai is having trouble with API keys expiring and triggering a forbidden key error in Node.js. Despite trying to generate a new key after expiry, Sai gets the same error. Jason explains that the problem may be due to the expiration of parent API keys.