#community-help

Correct API Key Generation and Usage on Cloud

TLDR Tom faced 401 errors while creating keys via the Cloud API. Kishore Nallan clarified the correct syntax and mechanics, and identified a header mislabeling on Tom's part that caused the issue. They also discussed using scoped API keys.

Powered by Struct AI

2

1

31
12mo
Solved
Join the chat
Oct 12, 2022 (12 months ago)
Tom
Photo of md5-2fa64626788fd6e3a12f8cdf96ea88bd
Tom
12:22 PM
I'm getting a 401 when trying to create a key via API on Cloud. Is the "keys:create" the correct API Key permission?
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
12:23 PM
Yes that's correct. The key that you are using to create this key has key:create permission but it does not work?
Tom
Photo of md5-2fa64626788fd6e3a12f8cdf96ea88bd
Tom
12:24 PM
Oh no, I mean. I have a key already (with keys:create ) and I'm trying to make user scoped keys.
12:24
Tom
12:24 PM
Should it be key or keys ?
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
12:25 PM
Sorry typo there, it must be keys
12:26
Kishore Nallan
12:26 PM
Just to be clear, user scoped keys are created client side: https://typesense.org/docs/0.23.1/api/api-keys.html#generate-scoped-search-key
Tom
Photo of md5-2fa64626788fd6e3a12f8cdf96ea88bd
Tom
12:26 PM
Gotcha. I have a (backend) key like this:

{
  "description": "API key",
  "actions": [
    "documents:import",
    "keys:create"
  ],
  "collections": [
    "*"
  ]
}

And I'd like to use CURL to make more keys like this for each user to use during their session:

{
  "description": "Search key per user",
  "actions": [ "documents:search" ],
  "collections": [
    // Some collections here
  ]
}
12:27
Tom
12:27 PM
I assume this is an accepted use case?
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
12:35 PM
Yes, that's valid. I will have to check why it's not working. I will get back to you later today/tomorrow after checking.
Tom
Photo of md5-2fa64626788fd6e3a12f8cdf96ea88bd
Tom
12:35 PM
Roger that, no problem at all. Would it help if I provided cluster ?
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
12:36 PM
I don't think it will be a cluster specific issue. Let me first see if I can reproduce and then will ask for further details if needed.

1

Oct 13, 2022 (12 months ago)
Tom
Photo of md5-2fa64626788fd6e3a12f8cdf96ea88bd
Tom
12:17 PM
Kishore Nallan did you happen to get a chance to look at this?
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
12:58 PM
I just tried this on 0.23.1 and it works for me:

% curl '' \
    -X POST \
    -H "X-TYPESENSE-API-KEY: abcd" \
    -H 'Content-Type: application/json' \
    -d '{"description": "", "value": "foobar","actions": ["keys:create"], "collections": ["*"]}'
{"actions":["keys:create"],"collections":["*"],"description":"","expires_at":64723363199,"id":0,"value":"foobar"}%

% curl '' \
    -X POST \
    -H "X-TYPESENSE-API-KEY: foobar" \
    -H 'Content-Type: application/json' \
    -d '{"description": "", "value": "amazing","actions": ["documents:search"], "collections": ["*"]}'
{"actions":["documents:search"],"collections":["*"],"description":"","expires_at":64723363199,"id":1,"value":"amazing"}%
Tom
Photo of md5-2fa64626788fd6e3a12f8cdf96ea88bd
Tom
01:00 PM
Does the second call, use the API key generated in the first call?
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
01:00 PM
Yes, see the use of foobar in the X-TYPESENSE-API-KEY header
Tom
Photo of md5-2fa64626788fd6e3a12f8cdf96ea88bd
Tom
01:01 PM
Wait, wild. So does "value": "foobar" mean the API key generated will be foobar rather than auto generated?
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
01:03 PM
Yes, correct.
01:03
Kishore Nallan
01:03 PM
If you don't specify a value Typesense will auto generate.

1

Tom
Photo of md5-2fa64626788fd6e3a12f8cdf96ea88bd
Tom
01:17 PM
So I'm still getting a 401 on my side.

I've got a key like this:

{
  "description": "Admin key",
  "actions": [ "documents:import", "keys:create" ]
  "collections": [
    "*"
  ]
}

That I created via UI. I then took that API and tried to create more like this using HTTP. Heres the body:

{
   "description":"Search key for user ykDG6Un4oNUs1UBxKqS5ae9HC9D3",
   "actions":[
      "documents:search"
   ],
   "collections":[
      "exercises",
      "programs",
      "programs"
   ]
}

But I get a 401 response.
401 Unauthorized from POST https://xxxxxxx.a1.typesense.net/keys
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
01:20 PM
Hmm, are you also using curl?
Tom
Photo of md5-2fa64626788fd6e3a12f8cdf96ea88bd
Tom
01:21 PM
I'm using Java HTTP client:
()
                .uri("https://xxxxxxx.a1.typesense.net/keys")
                .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
                .header("TYPESENSE-API-KEY", "xxxxxx")
                .body(BodyInserters.fromValue(new TypeSenseGenerateKeyRequest(
                        "Search key for user %s".formatted(userId),
                        Collections.singletonList("documents:search"),
                        List.of(EXERCISES_COLLECTION_NAME,
                                PROGRAMS_COLLECTION_NAME,
                                HISTORY_COLLECTION_NAME))))
                .retrieve()
                .bodyToMono(TypeSenseGenerateKeyResponse.class)
                .block()
01:21
Tom
01:21 PM
I've also tried using a key like this to generate more and still get 401. So the original key I think is ok

{
  "description": "Admin key",
  "actions": [
    "*"
  ],
  "collections": [
    "*"
  ]
}
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
01:22 PM
Can you quickly try using the curl example I have above to see if it makes a difference? That will tell us where the issue is.
01:23
Kishore Nallan
01:23 PM
Ah I think I got it:

> .header("TYPESENSE-API-KEY", "xxxxxx")
Should be X-TYPESENSE-API-KEY
Tom
Photo of md5-2fa64626788fd6e3a12f8cdf96ea88bd
Tom
01:24 PM
ohh worked straight away. Good eyes Kishore Nallan!
01:24
Tom
01:24 PM
Time to move that to a const. I clearly cannot be trusted to type it everywhere..

1

01:26
Tom
01:26 PM
Final question, for adding a filter_by to this key, what would that payload look like?
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
01:27 PM
You mean baking a "filter_by" clause into that key? For that you need to use scoped api key. Official clients have a helper that hmacs the filter string and adds the digest as part of the key so that it cannot be tampered.
Tom
Photo of md5-2fa64626788fd6e3a12f8cdf96ea88bd
Tom
01:27 PM
Ah I see, so this is not something we can do over HTTP only?
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
01:29 PM
I don't follow you. Is there something that you want to do that cannot be done via scoped API keys?
Tom
Photo of md5-2fa64626788fd6e3a12f8cdf96ea88bd
Tom
01:30 PM
I'd definitely like to use scoped keys, ideally created over HTTP.

Right now I can create keys for our users, but they are not scoped.