I also have another question, is it possible to invalidate a scoped token before its expiry? Lets say their permissions have changed and the scoped token is no longer valid. The use case being, we have given a client a scoped key and then subsequently their access permissions have changed.

Could you expand on how you store access permissions in each record?

We are storing an "org_id" in every doc, and the user->org mapping is in our system, we'll provide a scoped key to every user to query the index with the list of org_ids embedded in the scoped key, when a user's permission is revoked we'd like to invalidate the scoped key and issue a new one. In theory if we can't invalidate the previous key the user could just store it elsewhere and continue to use it.

Got it. Scoped API keys are generated in the API libraries and are not stored on the Typesense-server-side. So the only way to revoke a scoped API key is by deleting the parent API key that was used to generate it. Given this, one way to achieve what you're looking to do is to create one parent key per org, then generate a scoped API key for each org based on their respective parent key. Then when a user's org membership changes, you can revoke the parent key of the org, generate a new parent key and then use that parent key to generate a new scoped API key. This way, the old scoped API key that the ex-user might have will no longer work.

Oh cool, thats a neat solution, thanks. Will do I'll open a ticket there.

Hi @J reminder to open a github issue with this use case 🙏