https://typesense.org logo
Join Slack
Powered by
Hi guys, quick question - can the web portal which...
# community-help
s
Hi guys, quick question - can the web portal which creates API keys, also create scoped API keys, or only top level ones at this time and scoped must be done privileged environment from code?
👍 1
k
We don't yet have a way to generate scoped API key from the UI. That's because it is a client side operation as all it does is take a parent search-only API key and then encodes it along with a filter clause and also adds a hmac signature of the filter clause so that it cannot be tampered. But I think it will be useful to have a UI for it as well.
👍 1
The scoped API keys are not stored on the server since they are generated by encoding the filter into the key, which is then extracted during the search request cycle.
s
Gotcha. But even tho its made from a search only API key, we should do this server side in trusted environment correct ?
As if we use TS SDK on actual client end (Java/Swift) to make the scoped key from Search only key, it defeats the purpose as far as I can see
k
No the search only key contains a hmac signature for confirming the filter by string is not tampered -- it's revalidated on the server side.
j
But even tho its made from a search only API key, we should do this server side in trusted environment correct ?
That’s correct. You want to use the parent search api key and generate a scoped API key on the server-side, send that scoped API key to the client-side and then have the client-side make calls to Typesense directly
✔️ 1
You do not want to expose your parent (unscoped) API key to the client-side, because that will then allow access to all data in the collection
s
yes exactly my thoughts
As I suspected this, thats why I was checking ifwe could create from the cloud web GUI - to save some time for testing purposes, before spinning up for Firebase cloud servers, loading the typesense SDK and generating keys etc. BUt now I know thats the only way currently - all good!
Would be good to be able create from the web GUI in future tho - small quality of life feature
👍 1
Open in Slack
PreviousNext
Powered by