Guides / Security

Algolia Vault is available an add-on to your pricing plan.

Algolia Vault gives you an extra level of security and control over your data, beyond typical use-cases.

For example, a digital healthcare service might have medical records or personal user data that needs to be accessible to internal users only. Algolia Vault exists to meet strict technical or compliance requirements that call for disk encryption and restricted access.

At its core, Algolia Vault provides two things:

  • Advanced Encryption Standard (AES), specifically AES-256, for disk encryption at rest, with per-server keys.
  • Configurable firewall to restrict access to specific IP addresses.

Disk encryption

Algolia Vault applies disk encryption with 256-bit AES to all data at rest, right when you create your cluster. You must set up Vault before indexing data to Algolia, and can’t turn it off. If you didn’t turn on Algolia Vault before creating the cluster, you must create an entirely new encrypted cluster and migrate your data to it.


Algolia Vault gives you access to a firewall feature. The firewall applies to both indexing and search API calls. It provides network-level control over which IP addresses have access to the data you’re storing with Algolia. Your data is accessible to the IP addresses you specify and forbidden to any others. You can specify up to 1,000 IP addresses to allow access to.

You can configure the firewall via the REST API or in the Infrastructure section of the Algolia dashboard.

All applications on the same cluster share the same firewall configuration.

Enabling and disabling the firewall

By default, the firewall is turned off, and all IP addresses, or “sources,” can reach the server as long as they provide a valid application ID and API key. As soon as you enable the firewall, only sources on your allowlist can access your data. You turn the firewall on as soon as you set up the allowlist.

To let the Algolia support team access the API, you can add a specific source called ALGOLIA_SUPPORT.

To turn off the firewall, you can pass to the configuration.

Using the firewall with InstantSearch

In some types of IP-restricted implementations, you might not be able to implement InstantSearch directly from the frontend. You can still use InstantSearch by implementing a backend proxy that makes all the requests from your allowlisted server.

As with any proxy, this isn’t as fast as with a frontend InstantSearch implementation. However, it lets you implement a full InstantSearch experience with all its features while enforcing strict access restrictions.

Did you find this page helpful?