#community-help

Generating Scoped API Keys Through Web Portal

TLDR Shaun inquired about generating scoped API keys via web portal. Kishore Nallan and Jason clarified that it's currently not possible, but recommended generating them server-side in a trusted environment.

Powered by Struct AI

3

1

Mar 13, 2023 (9 months ago)
Shaun
Photo of md5-9dd01dbbef7bac5e85a472a52dc35647
Shaun
10:31 AM
Hi guys, quick question - can the web portal which creates API keys, also create scoped API keys, or only top level ones at this time and scoped must be done privileged environment from code?
Image 1 for Hi guys, quick question - can the web portal which creates API keys, also create scoped API keys, or only top level ones at this time and scoped must be done privileged environment from code?

1

Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
10:40 AM
We don't yet have a way to generate scoped API key from the UI. That's because it is a client side operation as all it does is take a parent search-only API key and then encodes it along with a filter clause and also adds a hmac signature of the filter clause so that it cannot be tampered.

But I think it will be useful to have a UI for it as well.

1

10:40
Kishore Nallan
10:40 AM
The scoped API keys are not stored on the server since they are generated by encoding the filter into the key, which is then extracted during the search request cycle.
Shaun
Photo of md5-9dd01dbbef7bac5e85a472a52dc35647
Shaun
12:00 PM
Gotcha. But even tho its made from a search only API key, we should do this server side in trusted environment correct ?
12:01
Shaun
12:01 PM
As if we use TS SDK on actual client end (Java/Swift) to make the scoped key from Search only key, it defeats the purpose as far as I can see
Kishore Nallan
Photo of md5-4e872368b2b2668460205b409e95c2ea
Kishore Nallan
12:15 PM
No the search only key contains a hmac signature for confirming the filter by string is not tampered -- it's revalidated on the server side.
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
07:07 PM
> But even tho its made from a search only API key, we should do this server side in trusted environment correct ?
That’s correct. You want to use the parent search api key and generate a scoped API key on the server-side, send that scoped API key to the client-side and then have the client-side make calls to Typesense directly

1

07:07
Jason
07:07 PM
You do not want to expose your parent (unscoped) API key to the client-side, because that will then allow access to all data in the collection
Shaun
Photo of md5-9dd01dbbef7bac5e85a472a52dc35647
Shaun
10:11 PM
yes exactly my thoughts
10:12
Shaun
10:12 PM
As I suspected this, thats why I was checking ifwe could create from the cloud web GUI - to save some time for testing purposes, before spinning up for Firebase cloud servers, loading the typesense SDK and generating keys etc. BUt now I know thats the only way currently - all good!
10:12
Shaun
10:12 PM
Would be good to be able create from the web GUI in future tho - small quality of life feature

1

Typesense

Lightning-fast, open source search engine for everyone | Knowledge Base powered by Struct.AI

Indexed 3015 threads (79% resolved)

Join Our Community