#community-help

Using Typesense Frontend and Protecting API Key

TLDR KARTHICK asked about using Typesense from frontend, Jason suggested both frontend and backend are possible but encourages frontend for performance. Marcos mentioned key exposure concerns, Kishore Nallan explained scoped API keys can provide protection.

Powered by Struct AI

1

1

17
6mo
Solved
Join the chat
Mar 30, 2023 (6 months ago)
KARTHICK
Photo of md5-9885c2d5db3a85d24bc9c11809bcaf50
KARTHICK
04:30 AM
Hi guys i have a doubt what is the right way of using typesense.Weather to use it from the front end or we need to use it from backend. Kishore Nallan
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
04:47 AM
You could send queries to Typesense from the frontend directly and also from the backend. In general, we gently encourage sending queries from the frontend, since it reduces network latency and improves performance, especially for search-as-you-type experiences

1

KARTHICK
Photo of md5-9885c2d5db3a85d24bc9c11809bcaf50
KARTHICK
04:49 AM
Thank you so much Jason ๐ŸŽ‰

1

Marcos
Photo of md5-190d44ed75b5c212aad1deb8ffdf1b6c
Marcos
12:30 PM
Isn't the the search endpoint protected by a private API key?
KARTHICK
Photo of md5-9885c2d5db3a85d24bc9c11809bcaf50
KARTHICK
01:07 PM
Its protected with search API Key, Marcos
Marcos
Photo of md5-190d44ed75b5c212aad1deb8ffdf1b6c
Marcos
01:08 PM
So, how will you fetch from the frontend without exposing the API key?
KARTHICK
Photo of md5-9885c2d5db3a85d24bc9c11809bcaf50
KARTHICK
01:09 PM
Image 1 for
Marcos
Photo of md5-190d44ed75b5c212aad1deb8ffdf1b6c
Marcos
01:10 PM
Jason, could you please clarify here?
KARTHICK
Photo of md5-9885c2d5db3a85d24bc9c11809bcaf50
KARTHICK
01:11 PM
If without protected key only we can use from the FE ????
Marcos
Photo of md5-190d44ed75b5c212aad1deb8ffdf1b6c
Marcos
01:12 PM
As far as I understand, you can mitigate the risk in exposing your key by creating an API key with restricted access (i.e document:search only and specific to the collection you want to search from).
01:12
Marcos
01:12 PM
However, you'll still be leaking the API key
KARTHICK
Photo of md5-9885c2d5db3a85d24bc9c11809bcaf50
KARTHICK
01:12 PM
oops
01:13
KARTHICK
01:13 PM
So.. I need a search from the protected route How to implement that from node Js
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
02:14 PM
Most search use cases are search on public data anyway (e.g. ecommerce). For multi-tenanted search you can use scoped API key that embeds a filter like user_id: 100 into the key so that one cannot use it to query another user's data.
Mar 31, 2023 (6 months ago)
KARTHICK
Photo of md5-9885c2d5db3a85d24bc9c11809bcaf50
KARTHICK
06:21 AM
So when i get data from the server my API key exposes does this make any issue in future. Marcos Kishore Nallan Jason
Image 1 for So when i get data from the server my API key exposes does this make any issue in future. <@4L9af> <@4L6c8> <@4L6c7>
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
06:26 AM
Yes if you are making the search requests from frontend, the key is going to be exposed, so should be using the key with permission for only search. If you are storing multiple customers and querying within a customer subset, then use scoped api keys to protect access: https://typesense.org/docs/0.24.0/api/api-keys.html#generate-scoped-search-key
KARTHICK
Photo of md5-9885c2d5db3a85d24bc9c11809bcaf50
KARTHICK
06:29 AM
Thankyou so much Kishore Nallan