This is a beta feature according to Algolia’s Terms of Service (“Beta Services”).
What user authentication enables
Secure user tokens allow Agent Studio to:- Associate each conversation with a user.
- Store and retrieve memory per user.
- Restrict access so users can only read their own conversations and memory.
- Support multi-user apps with personalized experiences.
JWT authentication flow
User authentication uses JSON Web Tokens (JWTs) to identify users securely:Key points
- JWTs are generated on your backend server, never in frontend code
- JWTs contain a user identifier in the
sub(subject) claim - Agent Studio validates the JWT signature using your authentication key
- All data is automatically scoped to the authenticated user
Set up user authentication
Create an authentication key in the dashboard
- Go to Agent Studio Settings
- Go to User authentication and click Create authentication key
- In the creation box:
- Enter a descriptive name (for example, “Production authentication key”)
- Choose the scope:
- All agents: the key works for all agents in your application
- Specific agents: select which agents this key applies to
- Click Create
- Copy the authentication key: it starts with
sk-alg-... - From the authentication keys table, note the value in the ID column
- Save both values securely:
- Key ID (from the ID column): store in
ALGOLIA_KEY_IDenvironment variable - Authentication key (the full
sk-alg-...value): store inALGOLIA_SECRET_KEYenvironment variable
- Key ID (from the ID column): store in
Generate JWTs on your backend
Create an endpoint on your backend that generates JWTs for authenticated users.
The token must include:
subclaim: Your user’s unique identifierexpclaim: Token expiration timestampkidheader: Your Algolia key ID
Use tokens in API requests
Include the JWT in the Frontend implementation example:If you use the InstantSearch Chat widget with Use this option only with the built-in
X-Algolia-Secure-User-Token header when making Agent Studio API requests:Command line
JavaScript
agentId,
pass the token with requestOptions.headers:agentId path.
If you use a custom transport,
add the secure user token to that transport’s headers.Security
Follow these security recommendations to reduce the risk of leaked keys, improperly scoped users, and expired tokens in production.Token expiration
- Set reasonable expiration times (for example, 24 hours)
- Implement token refresh logic in the frontend
- Handle expired token errors gracefully
Authentication key management
- Store authentication keys in environment variables or secrets managers
- Rotate keys periodically (create new keys and delete old ones from the dashboard)
- Use different keys for different environments (development, staging, production)
- Use specific agent scoping when possible to limit key access
User validation
- Always verify user identity on your backend before generating tokens
- Include only necessary user identifiers in the
subclaim - Don’t include sensitive user data in JWT payloads (they’re not encrypted)
HTTPS requirement
- Always transmit tokens over HTTPS
- Secure your backend token generation endpoint
- Validate Cross-Origin Resource Sharing (CORS) settings to prevent unauthorized domains from accessing tokens
Common patterns
Token refresh
Handle token expiration by refreshing tokens automatically, without prompting users to sign in again:JavaScript
Error handling
Handle authentication errors appropriately:JavaScript
Common issues
“Invalid signature” error:- Verify your authentication key (the full
sk-alg-...value) matches the one from the dashboard - Ensure you’re using HS256 algorithm
- Check that the
kidheader matches your key ID (from the ID column in the authentication keys table)
- Implement token refresh logic
- Check that your server’s clock is synchronized (JWT uses timestamps)
- Verify the
expclaim is set correctly
- Confirm you’re including the
X-Algolia-Secure-User-Tokenheader - Verify the
subclaim contains a valid user identifier - Check that the token is being generated with the correct user ID
See also
- For user-scoped conversation history, see Conversations
- How memory works and when to use it, see Memory overview
- Manage tool-level credentials, see Tools security - Manage tool-level credentials
- Recommended security configuration, see Security