#community-help

Generating Scoped API Keys Through Web Portal

TLDR Shaun inquired about generating scoped API keys via web portal. Kishore Nallan and Jason clarified that it's currently not possible, but recommended generating them server-side in a trusted environment.

6mo

Join the chat

Mar 13, 2023 (6 months ago)

Photo of md5-9dd01dbbef7bac5e85a472a52dc35647

Shaun

10:31 AM

Hi guys, quick question - can the web portal which creates API keys, also create scoped API keys, or only top level ones at this time and scoped must be done privileged environment from code?

Image 1 for Hi guys, quick question - can the web portal which creates API keys, also create scoped API keys, or only top level ones at this time and scoped must be done privileged environment from code?

Photo of md5-4e872368b2b2668460205b409e95c2ea

Kishore Nallan

10:40 AM

We don't yet have a way to generate scoped API key from the UI. That's because it is a client side operation as all it does is take a parent search-only API key and then encodes it along with a filter clause and also adds a hmac signature of the filter clause so that it cannot be tampered.

But I think it will be useful to have a UI for it as well.

10:40

Kishore Nallan

10:40 AM

The scoped API keys are not stored on the server since they are generated by encoding the filter into the key, which is then extracted during the search request cycle.

Shaun

12:00 PM

Gotcha. But even tho its made from a search only API key, we should do this server side in trusted environment correct ?

12:01

Shaun

12:01 PM

As if we use TS SDK on actual client end (Java/Swift) to make the scoped key from Search only key, it defeats the purpose as far as I can see

Kishore Nallan

12:15 PM

No the search only key contains a hmac signature for confirming the filter by string is not tampered -- it's revalidated on the server side.

Photo of md5-8813087cccc512313602b6d9f9ece19f

Jason

07:07 PM

> But even tho its made from a search only API key, we should do this server side in trusted environment correct ?
That’s correct. You want to use the parent search api key and generate a scoped API key on the server-side, send that scoped API key to the client-side and then have the client-side make calls to Typesense directly

07:07

Jason

07:07 PM

You do not want to expose your parent (unscoped) API key to the client-side, because that will then allow access to all data in the collection

Shaun

10:11 PM

yes exactly my thoughts

10:12

Shaun

10:12 PM

As I suspected this, thats why I was checking ifwe could create from the cloud web GUI - to save some time for testing purposes, before spinning up for Firebase cloud servers, loading the typesense SDK and generating keys etc. BUt now I know thats the only way currently - all good!

10:12

Shaun

10:12 PM

Would be good to be able create from the web GUI in future tho - small quality of life feature

Typesense

Lightning-fast, open source search engine for everyone | Knowledge Base powered by Struct.AI

Indexed 2764 threads (79% resolved)

Join Our Community Manage subscription

Similar Threads

Correct API Key Generation and Usage on Cloud

Tom faced 401 errors while creating keys via the Cloud API. Kishore Nallan clarified the correct syntax and mechanics, and identified a header mislabeling on Tom's part that caused the issue. They also discussed using scoped API keys.

11mo

Issues with Generating Scope API Keys in Python

Danny had issues generating a valid scope API key in a Python GraphQL server. Jason suggested encoding changes and confirmed that the key length varies. Issue unresolved with Python, although JS library worked.

15mo

Resolving Issues with Scoped API Keys in Typesense with Golang

Suvarna had problems with generating and using scoped API keys in Typesense with Golang. Several bugs misleading the user were found and fixed by Kishore Nallan.

158

24mo

Trouble with Scoped Search API Keys in Flutter App

Shane struggled with scoped search API keys in Typesense library for a Flutter app, which returned a 401 error. Jason identified that the error may be a result of an invalid filter within the key, and instructed to create separate keys for different permissions. On implementation, the error was resolved.

2mo

Generate Multiple Scoped Search Keys with Typesense

Kian inquired if many `scoped search keys` could be generated for each user and prevent access to indexes unrelated to each user. Kishore Nallan confirmed this and explained filtering by 'user_id' in the API key would restrict record access.

11mo