API Key Restrictions
On this page
API Keys can help you control and limit the scope and behavior of your APIs. We call this restrictions. For example, you can exclude some users, group others, put limits on the duration of a user’s access, and other such restrictions.
Concretely, every key can have one or more of the following restrictions:
- Indices: Define which indices can be accessed.
- Rate limit: limit the number of API calls allowed.
- Records Retrieved: Limit the number of records retrieved.
- Validity Set an expiration time.
- HTTP Referers: Authorize HTTP referers.
- Query Parameters: Enforce specific query parameters.
- Description: Add a description to a particular key.
Let’s look at these restrictions in more detail.
With API keys you can specify a list of targeted indices. If not indicated or empty, the access level will default to all indices. You can target indices by matching a prefix or a suffix using the
A few examples:
dev_*will restrict access to all indices starting with dev_
*_devwill restrict access to all indices ending with _dev
*_dev_*will restrict access to all indices with dev in the middle of their name
productswill restrict access to the index with an exact match on the name products
You can define the maximum number of API calls allowed per hour and per IP address. The default value is
0 (no rate limit). This parameter can protect you from external attempts to crawl your entire index by bulk querying.
Each time an API call is performed with a rate-limited API key, there will be a verification step:
if the number of API calls from this IP address has reached the limit during the past hour, a
429 HTTP code will be returned.
Number of Records Retrieved
Beyond rate limiting, you can limit the maximum number of hits an API key can retrieve in one call. The default value is
0 (unlimited, which is technically 1000). Just like rate limiting, this parameter can protect you from external attempts to crawl your entire index by bulk querying.
It’s possible to set the number of seconds that a key will remain valid. Temporary API keys can be used to grant temporary access to your data. The default value is
0 (no expiration).
You can define a list of referrers authorized to query the API with a given key. If unspecified or empty, it defaults to any referrer.
You can target referrers by matching a prefix or a suffix using the
https://algolia.com/*restricts access to all referrers starting with https://algolia.com.
*.algolia.comrestricts access to all referrers ending with .algolia.com.
- To allow access for the full algolia.com domain, you can use
Like all HTTP headers, referrers can be spoofed, so you should not rely on them to secure your data. Please read our best practices using HTTP referers.
Some browsers intentionally remove the
Referer header from third-party requests. If you’re using a search API key with restrictions on the
Referer, this will prevent users from searching on these browsers.
Algolia lets you include a list of search parameters. This parameter uses the URL encoded string format, e.g.
You can use any set of search parameters to generate a Secured API key. For example,
filters is often used to restrict access to a subset of your data,
restrictIndices limits access to a subset of indices, and so on. All search parameters are available for this purpose, letting you define granular levels of API access.
Although not a restriction, you can add a description to your API keys to remember the purpose of the key.