If an Algolia API key is exposed or compromised, revoke the affected key and replace it with a new one.
To revoke an API key, delete it from the Algolia dashboard or with the API. After the key is revoked, update your application to use a new API key with the minimum permissions required for its use case.
Never expose your Admin API key in frontend, mobile, or public code. If the Admin API key is exposed, revoke it and update any backend services that rely on it.
If you delete a main API key, any secured API keys generated from it are also deleted. Secured API keys can’t be restored, even if the main API key is restored later.
When creating the replacement key:
- Grant only the required ACLs.
- Restrict access to specific indices where possible.
- Add referrer, IP, validity, or query parameter restrictions where appropriate.
- Store private keys in environment variables or another secure secret store.
- Don’t hardcode write-access keys or Admin API keys in frontend or mobile apps.