Use a Search API key in frontend search experiences. This key is designed for search-only access and can be exposed in client-side code when it’s limited to the permissions needed for searching.
Never expose your Admin API key in frontend, mobile, or public code. The Admin API key has broad access and should only be used in secure backend environments.
For additional control, use API key restrictions. You can restrict keys by ACL, index, referrer, IP address, validity period, or query parameters.
Use secured API keys when you need to enforce user-specific restrictions, such as limiting users to a subset of records with filters. Secured API keys are generated from a parent API key, inherit the parent key’s restrictions, and must include at least one restriction. Don’t use the Admin API key as the parent key.
When handling API keys in your code:
- Store private keys in environment variables.
- Don’t hardcode write-access or Admin API keys in frontend or mobile apps.
- For mobile apps, dynamically fetch restricted keys instead of embedding long-lived sensitive keys.
- Use the least-privileged key required for each use case.