How to secure the search only API Key? Is there a way to ensure the API Key only responds to calls from my own domain? cc: @Jason Bosco

While not recent, there was a similar question asked a while back here: https://threads.typesense.org/2K3200 And it didn't seem possible. Maybe @Kishore Nallan has something more to add

It's not possible to restrict API key to a domain. Generally search API exposes already public information. If you are storing data from different users in the same collection, check scoped API key on how we can embed a fixed filtering expression into the API key so that it can't be tampered with.

Got it. Thanks. It’s a major issue because it opens us up to abuse and scraping. Will look into the methods you mention in the docs. Thanks!

There's technically no way to ensure that an API can only be called from a certain domain. There's CORS, but that is only a browser-thing, and can be easily bypassed using curl directly. So if scraping protection is what you're looking for, you want to consider using these precautions: https://typesense.org/docs/guide/data-access-control.html#scraping-protection

You can rotate the search key regularly. If you have control of the domain name, put Cloudflare in front of it with Bot Fight Mode