> ## Documentation Index
> Fetch the complete documentation index at: https://algolia.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security best practices

> To secure your Algolia account, enable 2FA, restrict API key access, control team permissions, protect sensitive data, and use HTTPS.

export const UserToken = () => <Tooltip tip="A user token is a pseudonymous ID that represents an individual user across Algolia searches and events. It links queries, clicks, and conversions to a user profile, enabling user-level analytics, personalization, and recommendations." cta="User token" href=" /doc/guides/sending-events/concepts/usertoken">
    user token
  </Tooltip>;

export const SearchRequest = () => <Tooltip tip="A search request is a single HTTP call to the Algolia Search API that can run one or more search operations. It can include multiple queries, for example, when querying several indices at once.">
    search request
  </Tooltip>;

export const SearchQuery = () => <Tooltip tip="The text users enter into a search box. In the Search API, this corresponds to the query parameter. A search query is often used with filters, facets, and other parameters, but these aren't part of the query text itself.">
    search query
  </Tooltip>;

export const Index = () => <Tooltip tip="An Algolia index is a searchable dataset that consists of records and configuration settings. These settings define how the records are searched and ranked.">
    index
  </Tooltip>;

export const ApplicationID = () => <Tooltip tip="A unique alphanumeric string that identifies an Algolia application." cta="Application ID (dashboard)" href="https://dashboard.algolia.com/account/api-keys">
    application ID
  </Tooltip>;

export const Application = () => <Tooltip tip="An Algolia application is a self-contained environment with its own indices, configuration, and API keys. Applications don't share data or settings with each other.">
    application
  </Tooltip>;

Security is [a **shared responsibility**](/doc/guides/security/security-best-practices/in-depth/shared-responsibility) between Algolia and you, the developer.
Use the following steps and controls to avoid exposing your data and your Algolia account.

## Two-factor authentication

All users with access to your account should enable [two-factor authentication (2FA)](https://wikipedia.org/wiki/Multi-factor_authentication).
You can use your preferred authenticator app, such as Google Authenticator, Microsoft Authenticator, or Twilio Authy.

To enable two-factor authentication, follow these steps:

1. Go to the [Algolia dashboard](https://dashboard.algolia.com/dashboard).
2. On the left sidebar, select <Icon icon="settings" /> **Settings**.
3. Click [**Account details**](https://dashboard.algolia.com/account/details).
4. In the **Two-factor authentication** section, click **Enable** and scan the barcode with your authenticator app.
5. Securely save your recovery codes.

If you lose access, see [How to reset two-factor authentication (2FA)](https://support.algolia.com/hc/en-us/articles/4406975223569-How-do-I-reset-two-factor-authentication-2FA-on-my-account-)

## Secure your API keys

Algolia provides predefined API keys for common tasks and lets you create custom keys with detailed access control lists (ACLs).
Set restrictions on keys to limit user access and prevent data crawling.
Algolia securely generates and encrypts keys, but handle them responsibly.
Don't use write-access keys in frontend code or mobile apps,
and use environment variables for API keys in your code instead of hardcoding them.
This extra security layer protects your data if your source code becomes public.

<Warning>
  **Be careful when using third-party services**.
  If a third-party service, such as a continuous integration (CI) service,
  has a security incident, your Algolia API keys might leak.
  If a security incident occurs,
  immediately [change your keys](#rotate-your-api-keys-regularly).
</Warning>

### Keep your admin API key confidential

Your account's admin API key gives access to everything in your account, including all your indices.
Keep your admin API key confidential and never use it in production.

<Warning>
  Never use your Admin API key in any app.
  Use it to generate other, more limited keys for searching and performing indexing operations.
</Warning>

### Rotate your API keys regularly

**Regenerate all your API keys at least once a year.**
Rotating your API keys reduces the risk of leaks, misuse, and compliance issues.
For sensitive apps, rotate your keys more often.
Limit each API key's validity to one year.

### Use secured API keys in mobile apps

**Don't hardcode API keys in mobile applications.**
When you need to update your API keys, users need to update your app on their devices,
or they won't be able to search on your site.
Users might not update your app right away.

That's why you should fetch [restricted API keys](/doc/guides/security/api-keys#secured-api-keys) dynamically from your app's backend.

Tools can scrape information from mobile apps, including any hardcoded credentials.
Add only the necessary permissions to your app's API keys and set them to expire.

### Separate your development and production environments

If you're using different Algolia applications for development and production,
you automatically use different API keys.

If you're using a single Algolia <Application /> with development and production indices,
use  a different API key for each <Index />.

For more information,
see [Manage your Algolia applications](/doc/guides/sending-and-managing-data/manage-indices-and-apps/manage-your-apps)

## Team management

When you [invite team members](https://dashboard.algolia.com/account/teams),
only give them access to the parts of your app that they need.

### Remove access from members who leave your team

Algolia can't help you if team members perform irreversible operations in your Algolia application.
Invite team members using email addresses managed by your organization,
so you can revoke their access if needed.

### Use a shared email address for the account owner

If you're using an individual email address for the account owner,
your team might lose access if this person leaves or becomes unavailable.
It's better to use a shared company email address for the owner of your Algolia application.

If you want to change the account owner, see [How to transfer ownership of an account to someone else?](https://support.algolia.com/hc/en-us/articles/4406981844113)

## Sensitive information

Algolia keeps your data secure and isolated from other Algolia users.
To prevent access from unauthorized users, Algolia provides these features:

* [Secured API keys](/doc/guides/security/api-keys/how-to/user-restricted-access-to-data) with access restrictions
* [`unretrievableAttributes`](/doc/api-reference/api-parameters/unretrievableAttributes)
* [Algolia Vault](/doc/guides/security/algolia-vault)

Follow these steps when dealing with sensitive information:

* **Don't use sensitive data in metadata**. Algolia stores some metadata in logs.
* **Don't use sensitive information in an index name**. Index names are public, because they appear in network requests.
* **Don't use personally identifiable information** as the [`userToken`](/doc/api-reference/api-parameters/userToken) parameter in a <SearchRequest />.

### Algolia internal logs

Algolia keeps logs for your **Search API** and **Insights API** calls.
Algolia **Analytics** then processes these logs.

#### Search API logs

Algolia retains your Search API logs for processing and auditability for 90 days in the region you specified when choosing your plan.

Your Search API logs include:

* Algolia <ApplicationID />
* Index name
* Truncated request IP address for successful calls and full request IP address for failed calls with 4xx/5xx status (for investigation and auditability)
* A <UserToken />
* A <SearchQuery />
* Applied filters
* Analytics tags
* HTTP headers
* Obfuscated API key
* Returned `objectIDs`

#### Insights API logs

Algolia retains your Insights API logs for processing and auditability for 90 days in the region you specified when choosing your plan.
You can choose to extend the retention period to 365 days. For more information, see [Extending the retention period of the analytics data](https://support.algolia.com/hc/en-us/articles/4406975230993-Can-I-extend-the-retention-period-of-the-analytics-data-).

Your Insights API logs include:

* Event details for successful API calls
* Algolia application ID
* Obfuscated API key
* Truncated request IP address
* User agent

#### Analytics

Algolia Analytics processes Search API logs and Insights API events.

Algolia stores your data in the region you chose when setting up your plan.
For more information,
see [Extending the retention period of the analytics data](https://support.algolia.com/hc/en-us/articles/4406975230993-Can-I-extend-the-retention-period-of-the-analytics-data-).

## Content security policy

[Content security policy](https://content-security-policy.com) (CSP) is an HTTP response header that lets you restrict allowed resources and domains.
When you're implementing CSP, use the following policy for Algolia:

```txt theme={"system"}
connect-src https://*.algolia.net https://*.algolianet.com https://*.algolia.io;
```

If you're using InstantSearch with [`insights`](/doc/api-reference/widgets/instantsearch/js#param-insights) set to `true` and you're letting the library load [`search-insights`](/doc/libraries/search-insights) for you,
make sure to add `https://cdn.jsdelivr.net` in your list of trusted sources for JavaScript.

```txt theme={"system"}
script-src https://cdn.jsdelivr.net/
```

If you're using [Algolia Experiences](/doc/guides/building-search-ui/algolia-experiences/get-started),
add `https://*.algolia.com` to both directives.
This covers the Experiences API, the bundle resolver, and the runtime bundle.

```txt theme={"system"}
connect-src https://*.algolia.com https://*.algolia.net https://*.algolianet.com https://*.algolia.io;
script-src  https://cdn.jsdelivr.net https://*.algolia.com;
```

## HTTPS security practices

Algolia uses HTTPS for all API requests.

### HTTP referrer restrictions

Browsers send referrer source URLs through the `Referer` or the `Origin` HTTP header.
Like all HTTP headers,
attackers can spoof it.
For example, they can change the `Referer` header with `curl`.
Use [secured API keys](/doc/guides/security/api-keys#secured-api-keys) to prevent unauthorized access to your data.

Most browsers send the `Referer` header with every request.
You can use it to restrict the usage of your API key to your website.
This prevents another website from stealing your key—for example, to harvest ad clicks with your data.
They can still scrape the data with other tools.
To mitigate that risk, you can [restrict which HTTP referrers you accept](/doc/guides/security/api-keys/in-depth/api-key-restrictions#http-referrers) and [rate-limit API keys](/doc/guides/security/api-keys/in-depth/api-key-restrictions#rate-limit).

<Warning>
  Some browsers intentionally remove the `Referer` and `Origin` headers from third-party requests.
  If you're using a search API key with restrictions on the referrer,
  this will prevent users from searching on these browsers.
</Warning>

### Authorized HTTP referrers

You can restrict which referrers can make API requests with a given API key.
By default,
Algolia allows requests from any referrer.

Target referrers by matching a prefix or suffix using the `*` wildcard:

* `https://algolia.com/*` restricts access to all referrers starting with `https://algolia.com`.
* `*.algolia.com` restricts access to all referrers ending with `.algolia.com`.
* To allow access to the entire `algolia.com` domain, use  both `https://algolia.com/*` and `https://*.algolia.com/*`.

<Tip>
  Referrer and Origin headers can be spoofed.
  Treat referrer rules as a light access control layer and combine them with other restrictions—like ACLs,
  index allowlists,
  key validity,
  rate limits,
  and secured API keys—for stronger protection.
</Tip>

## Block IP addresses

If you see an unexpected increase in search operations,
check that your implementation isn't issuing duplicate or unnecessary requests.

If you detect unusual or excessive request activity on your site,
consider blocking specific IP addresses outside Algolia.

## See also

* [Monitoring search operations](https://support.algolia.com/hc/en-us/articles/4406981900433-Monitoring-Search-Operations)
* [How to deal with bots](https://support.algolia.com/hc/en-us/articles/10154087058705-How-do-I-deal-with-bots-in-Algolia-Search-)
* [How an API key provides security (blog)](https://www.algolia.com/blog/engineering/search-101-what-is-an-api-key-how-does-it-provide-api-security)
* [API keys vs JWT authorization (blog)](https://www.algolia.com/blog/engineering/api-keys-vs-json-web-tokens)
* [Inspect Algolia requests in browser developer tools (blog)](https://www.algolia.com/blog/engineering/algolia-analyzer-browser-extension-inspect-algolia-specific-requests-in-devtools)