> ## Documentation Index
> Fetch the complete documentation index at: https://algolia.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Generate secured API key

> Create an API key on your server without any request to Algolia.

This helper method generates a secured API key from a parent API key by adding query parameters and restrictions.

Secured API keys use hash-based message authentication codes ([HMAC](https://en.wikipedia.org/wiki/HMAC)).

To generate a secured API key, the method performs the following steps:

1. Compute a SHA-256 HMAC with:

   * **Secret**: the parent API key
   * **Message**: a URL-encoded list of query parameters

   These query parameters are applied to every request that uses the API key and can't be modified by end users.

2. Concatenate the SHA-256 HMAC with the list of query parameters into a single string.

3. Encode the resulting string in `base64`.

## Usage

<CodeGroup>
  ```cs C# theme={"system"}
  var response = client.GenerateSecuredApiKey(
    "2640659426d5107b6e47d75db9cbaef8",
    new SecuredApiKeyRestrictions
    {
      ValidUntil = 2524604400L,
      RestrictIndices = new List<string> { "Movies" },
    }
  );
  ```

  ```go Go theme={"system"}
  response, err := client.GenerateSecuredApiKey(
    "2640659426d5107b6e47d75db9cbaef8",
    search.NewEmptySecuredApiKeyRestrictions().SetValidUntil(2524604400).SetRestrictIndices(
      []string{"Movies"}))
  if err != nil {
    // handle the eventual error
    panic(err)
  }
  ```

  ```java Java theme={"system"}
  String response = client.generateSecuredApiKey(
    "2640659426d5107b6e47d75db9cbaef8",
    new SecuredApiKeyRestrictions().setValidUntil(2524604400L).setRestrictIndices(Arrays.asList("Movies"))
  );
  ```

  ```js JavaScript theme={"system"}
  const response = client.generateSecuredApiKey({
    parentApiKey: '2640659426d5107b6e47d75db9cbaef8',
    restrictions: { validUntil: 2524604400, restrictIndices: ['Movies'] },
  });
  ```

  ```kotlin Kotlin theme={"system"}
  var response =
    client.generateSecuredApiKey(
      parentApiKey = "2640659426d5107b6e47d75db9cbaef8",
      restrictions =
        SecuredApiKeyRestrictions(validUntil = 2524604400L, restrictIndices = listOf("Movies")),
    )
  ```

  ```php PHP theme={"system"}
  $response = $client->generateSecuredApiKey(
      '2640659426d5107b6e47d75db9cbaef8',
      ['validUntil' => 2524604400,
          'restrictIndices' => [
              'Movies',
          ],
      ],
  );
  ```

  ```python Python theme={"system"}
  response = client.generate_secured_api_key(
      parent_api_key="2640659426d5107b6e47d75db9cbaef8",
      restrictions={
          "validUntil": 2524604400,
          "restrictIndices": [
              "Movies",
          ],
      },
  )
  ```

  ```ruby Ruby theme={"system"}
  response = client.generate_secured_api_key(
    "2640659426d5107b6e47d75db9cbaef8",
    Algolia::Search::SecuredApiKeyRestrictions.new(valid_until: 2524604400, restrict_indices: ["Movies"])
  )
  ```

  ```scala Scala theme={"system"}
  val response = client.generateSecuredApiKey(
    parentApiKey = "2640659426d5107b6e47d75db9cbaef8",
    restrictions = SecuredApiKeyRestrictions(
      validUntil = Some(2524604400L),
      restrictIndices = Some(Seq("Movies"))
    )
  )
  ```

  ```swift Swift theme={"system"}
  let response = try client.generateSecuredApiKey(
      parentApiKey: "2640659426d5107b6e47d75db9cbaef8",
      restrictions: SecuredApiKeyRestrictions(validUntil: Int64(2_524_604_400), restrictIndices: ["Movies"])
  )
  ```
</CodeGroup>

## Parameters

<Tabs>
  <Tab title="C#">
    <ParamField body="parentApiKey" type="string" required>
      The API key to be used as *secret* for the secured API key.
      The secured API key inherits all restrictions from its parent.
      You can't use an Admin API key as parent.
    </ParamField>

    <ParamField body="restriction" type="SecuredApiKeyRestrictions" required>
      You must apply at least one restriction when creating a secured API key.
      If you try to use a secured API key with the same restrictions as its parent key,
      the API returns a `403 Forbidden` error.

      <Expandable>
        <ParamField body="SearchParams" type="SearchParamsObject">
          Search parameters that are always applied when using this API key.
          For more information, see [API parameters](/doc/api-reference/search-api-parameters).
        </ParamField>

        <ParamField body="Filters" type="string">
          Filters that are always applied when using this API key.
        </ParamField>

        <ParamField body="ValidUntil" type="long">
          Timestamp when the API key expires,
          in seconds since the Unix epoch.
        </ParamField>

        <ParamField body="RestrictIndices" type="List<string>">
          Indices names that this API key can access.
          Use `*` as a wildcard, for example `dev_*` to allow all indices with names that start with `dev_`.
          When using replica indices, include them explicitly, or use wildcard patterns.
        </ParamField>

        <ParamField body="RestrictSources" type="string">
          IP network range that is allowed to use this API key.
        </ParamField>

        <ParamField body="UserToken" type="string">
          By default, rate limits are applied per IP address.
          If many users share an IP,
          add a user token to each generated API key to avoid incorrect rate limiting.
        </ParamField>
      </Expandable>
    </ParamField>
  </Tab>

  <Tab title="Go">
    <ParamField body="parentApiKey" type="string" required>
      The API key to be used as *secret* for the secured API key.
      The secured API key inherits all restrictions from its parent.
      You can't use an Admin API key as parent.
    </ParamField>

    <ParamField body="restrictions" type="SecuredApiKeyRestrictions" required>
      You must apply at least one restriction when creating a secured API key.
      If you try to use a secured API key with the same restrictions as its parent key,
      the API returns a `403 Forbidden` error.

      <Expandable>
        <ParamField body="SearchParams" type="SearchParamsObject">
          Search parameters that are always applied when using this API key.
          For more information, see [API parameters](/doc/api-reference/search-api-parameters).
        </ParamField>

        <ParamField body="Filters" type="string">
          Filters that are always applied when using this API key.
        </ParamField>

        <ParamField body="ValidUntil" type="int64">
          Timestamp when the API key expires,
          in seconds since the Unix epoch.
        </ParamField>

        <ParamField body="RestrictIndices" type="[]string">
          Indices names that this API key can access.
          Use `*` as a wildcard, for example `dev_*` to allow all indices with names that start with `dev_`.
          When using replica indices, include them explicitly, or use wildcard patterns.
        </ParamField>

        <ParamField body="RestrictSources" type="string">
          IP network range that is allowed to use this API key.
        </ParamField>

        <ParamField body="UserToken" type="string">
          By default, rate limits are applied per IP address.
          If many users share an IP,
          add a user token to each generated API key to avoid incorrect rate limiting.
        </ParamField>
      </Expandable>
    </ParamField>
  </Tab>

  <Tab title="Java">
    <ParamField body="parentApiKey" type="String" required>
      The API key to be used as *secret* for the secured API key.
      The secured API key inherits all restrictions from its parent.
      You can't use an Admin API key as parent.
    </ParamField>

    <ParamField body="restrictions" type="SecuredApiKeyRestrictions" required>
      You must apply at least one restriction when creating a secured API key.
      If you try to use a secured API key with the same restrictions as its parent key,
      the API returns a `403 Forbidden` error.

      <Expandable>
        <ParamField body="searchParams" type="SearchParamsObject">
          Search parameters that are always applied when using this API key.
          For more information, see [API parameters](/doc/api-reference/search-api-parameters).
        </ParamField>

        <ParamField body="filters" type="String">
          Filters that are always applied when using this API key.
        </ParamField>

        <ParamField body="validUntil" type="Long">
          Timestamp when the API key expires,
          in seconds since the Unix epoch.
        </ParamField>

        <ParamField body="restrictIndices" type="List<String>">
          Indices names that this API key can access.
          Use `*` as a wildcard, for example `dev_*` to allow all indices with names that start with `dev_`.
          When using replica indices, include them explicitly, or use wildcard patterns.
        </ParamField>

        <ParamField body="restrictSources" type="String">
          IP network range that is allowed to use this API key.
        </ParamField>

        <ParamField body="userToken" type="String">
          By default, rate limits are applied per IP address.
          If many users share an IP,
          add a user token to each generated API key to avoid incorrect rate limiting.
        </ParamField>
      </Expandable>
    </ParamField>
  </Tab>

  <Tab title="JavaScript">
    <ParamField body="parentApiKey" type="string" required>
      The API key to be used as *secret* for the secured API key.
      The secured API key inherits all restrictions from its parent.
      You can't use an Admin API key as parent.
    </ParamField>

    <ParamField body="restrictions" type="SecuredApiKeyRestrictions" required>
      You must apply at least one restriction when creating a secured API key.
      If you try to use a secured API key with the same restrictions as its parent key,
      the API returns a `403 Forbidden` error.

      <Expandable>
        <ParamField body="searchParams" type="SearchParams">
          Search parameters that are always applied when using this API key.
          For more information, see [API parameters](/doc/api-reference/search-api-parameters).
        </ParamField>

        <ParamField body="filters" type="String">
          Filters that are always applied when using this API key.
        </ParamField>

        <ParamField body="validUntil" type="number">
          Timestamp when the API key expires,
          in seconds since the Unix epoch.
        </ParamField>

        <ParamField body="restrictIndices" type="string[]">
          Indices names that this API key can access.
          Use `*` as a wildcard, for example `dev_*` to allow all indices with names that start with `dev_`.
          When using replica indices, include them explicitly, or use wildcard patterns.
        </ParamField>

        <ParamField body="restrictSources" type="string">
          IP network range that is allowed to use this API key.
        </ParamField>

        <ParamField body="userToken" type="string">
          By default, rate limits are applied per IP address.
          If many users share an IP,
          add a user token to each generated API key to avoid incorrect rate limiting.
        </ParamField>
      </Expandable>
    </ParamField>
  </Tab>

  <Tab title="Kotlin">
    <ParamField body="parentApiKey" type="String" required>
      The API key to be used as *secret* for the secured API key.
      The secured API key inherits all restrictions from its parent.
      You can't use an Admin API key as parent.
    </ParamField>

    <ParamField body="restrictions" type="SecuredApiKeyRestrictions" required>
      You must apply at least one restriction when creating a secured API key.
      If you try to use a secured API key with the same restrictions as its parent key,
      the API returns a `403 Forbidden` error.

      <Expandable>
        <ParamField body="searchParams" type="SearchParamsObject">
          Search parameters that are always applied when using this API key.
          For more information, see [API parameters](/doc/api-reference/search-api-parameters).
        </ParamField>

        <ParamField body="filters" type="String">
          Filters that are always applied when using this API key.
        </ParamField>

        <ParamField body="validUntil" type="Long">
          Timestamp when the API key expires,
          in seconds since the Unix epoch.
        </ParamField>

        <ParamField body="restrictIndices" type="List<String>">
          Indices names that this API key can access.
          Use `*` as a wildcard, for example `dev_*` to allow all indices with names that start with `dev_`.
          When using replica indices, include them explicitly, or use wildcard patterns.
        </ParamField>

        <ParamField body="restrictSources" type="String">
          IP network range that is allowed to use this API key.
        </ParamField>

        <ParamField body="userToken" type="String">
          By default, rate limits are applied per IP address.
          If many users share an IP,
          add a user token to each generated API key to avoid incorrect rate limiting.
        </ParamField>
      </Expandable>
    </ParamField>
  </Tab>

  <Tab title="PHP">
    <ParamField body="parentApiKey" type="string" required>
      The API key to be used as *secret* for the secured API key.
      The secured API key inherits all restrictions from its parent.
      You can't use an Admin API key as parent.
    </ParamField>

    <ParamField body="restrictions" type="array" required>
      You must apply at least one restriction when creating a secured API key.
      If you try to use a secured API key with the same restrictions as its parent key,
      the API returns a `403 Forbidden` error.

      <Expandable>
        <ParamField body="searchParams" type="array">
          Search parameters that are always applied when using this API key.
          For more information, see [API parameters](/doc/api-reference/search-api-parameters).
        </ParamField>

        <ParamField body="filters" type="string">
          Filters that are always applied when using this API key.
        </ParamField>

        <ParamField body="validUntil" type="int">
          Timestamp when the API key expires,
          in seconds since the Unix epoch.
        </ParamField>

        <ParamField body="restrictIndices" type="string[]">
          Indices names that this API key can access.
          Use `*` as a wildcard, for example `dev_*` to allow all indices with names that start with `dev_`.
          When using replica indices, include them explicitly, or use wildcard patterns.
        </ParamField>

        <ParamField body="restrictSources" type="string">
          IP network range that is allowed to use this API key.
        </ParamField>

        <ParamField body="userToken" type="string">
          By default, rate limits are applied per IP address.
          If many users share an IP,
          add a user token to each generated API key to avoid incorrect rate limiting.
        </ParamField>
      </Expandable>
    </ParamField>
  </Tab>

  <Tab title="Python">
    <ParamField body="parent_api_key" type="str" required>
      The API key to be used as *secret* for the secured API key.
      The secured API key inherits all restrictions from its parent.
      You can't use an Admin API key as parent.
    </ParamField>

    <ParamField body="restrictions" type="dict | SecuredApiKeyRestrictions" required>
      You must apply at least one restriction when creating a secured API key.
      If you try to use a secured API key with the same restrictions as its parent key,
      the API returns a `403 Forbidden` error.

      <Expandable>
        <ParamField body="search_params" type="dict | SearchParams">
          Search parameters that are always applied when using this API key.
          For more information, see [API parameters](/doc/api-reference/search-api-parameters).
        </ParamField>

        <ParamField body="filters" type="str">
          Filters that are always applied when using this API key.
        </ParamField>

        <ParamField body="valid_until" type="int">
          Timestamp when the API key expires,
          in seconds since the Unix epoch.
        </ParamField>

        <ParamField body="restrict_indices" type="list[str]">
          Indices names that this API key can access.
          Use `*` as a wildcard, for example `dev_*` to allow all indices with names that start with `dev_`.
          When using replica indices, include them explicitly, or use wildcard patterns.
        </ParamField>

        <ParamField body="restrict_sources" type="str">
          IP network range that is allowed to use this API key.
        </ParamField>

        <ParamField body="user_token" type="str">
          By default, rate limits are applied per IP address.
          If many users share an IP,
          add a user token to each generated API key to avoid incorrect rate limiting.
        </ParamField>
      </Expandable>
    </ParamField>
  </Tab>

  <Tab title="Ruby">
    <ParamField body="parent_api_key" type="String" required>
      The API key to be used as *secret* for the secured API key.
      The secured API key inherits all restrictions from its parent.
      You can't use an Admin API key as parent.
    </ParamField>

    <ParamField body="restrictions" type="Hash" required>
      You must apply at least one restriction when creating a secured API key.
      If you try to use a secured API key with the same restrictions as its parent key,
      the API returns a `403 Forbidden` error.

      <Expandable>
        <ParamField body="search_params" type="SearchParams">
          Search parameters that are always applied when using this API key.
          For more information, see [API parameters](/doc/api-reference/search-api-parameters).
        </ParamField>

        <ParamField body="filters" type="String">
          Filters that are always applied when using this API key.
        </ParamField>

        <ParamField body="valid_until" type="integer">
          Timestamp when the API key expires,
          in seconds since the Unix epoch.
        </ParamField>

        <ParamField body="restrict_indices" type="Array[String]">
          Indices names that this API key can access.
          Use `*` as a wildcard, for example `dev_*` to allow all indices with names that start with `dev_`.
          When using replica indices, include them explicitly, or use wildcard patterns.
        </ParamField>

        <ParamField body="restrict_sources" type="String">
          IP network range that is allowed to use this API key.
        </ParamField>

        <ParamField body="user_token" type="String">
          By default, rate limits are applied per IP address.
          If many users share an IP,
          add a user token to each generated API key to avoid incorrect rate limiting.
        </ParamField>
      </Expandable>
    </ParamField>
  </Tab>

  <Tab title="Scala">
    <ParamField body="parentApiKey" type="String" required>
      The API key to be used as *secret* for the secured API key.
      The secured API key inherits all restrictions from its parent.
      You can't use an Admin API key as parent.
    </ParamField>

    <ParamField body="restrictions" type="SecuredApiKeyRestrictions" required>
      You must apply at least one restriction when creating a secured API key.
      If you try to use a secured API key with the same restrictions as its parent key,
      the API returns a `403 Forbidden` error.

      <Expandable>
        <ParamField body="searchParams" type="SearchParamsObject">
          Search parameters that are always applied when using this API key.
          For more information, see [API parameters](/doc/api-reference/search-api-parameters).
        </ParamField>

        <ParamField body="filters" type="String">
          Filters that are always applied when using this API key.
        </ParamField>

        <ParamField body="validUntil" type="Long">
          Timestamp when the API key expires,
          in seconds since the Unix epoch.
        </ParamField>

        <ParamField body="restrictIndices" type="Seq[String]">
          Indices names that this API key can access.
          Use `*` as a wildcard, for example `dev_*` to allow all indices with names that start with `dev_`.
          When using replica indices, include them explicitly, or use wildcard patterns.
        </ParamField>

        <ParamField body="restrictSources" type="String">
          IP network range that is allowed to use this API key.
        </ParamField>

        <ParamField body="userToken" type="String">
          By default, rate limits are applied per IP address.
          If many users share an IP,
          add a user token to each generated API key to avoid incorrect rate limiting.
        </ParamField>
      </Expandable>
    </ParamField>
  </Tab>

  <Tab title="Swift">
    <ParamField body="parentApiKey" type="String" required>
      The API key to be used as *secret* for the secured API key.
      The secured API key inherits all restrictions from its parent.
      You can't use an Admin API key as parent.
    </ParamField>

    <ParamField body="restrictions" type="SecuredApiKeyRestrictions" required>
      You must apply at least one restriction when creating a secured API key.
      If you try to use a secured API key with the same restrictions as its parent key,
      the API returns a `403 Forbidden` error.

      <Expandable>
        <ParamField body="searchParams" type="SearchParamsObject">
          Search parameters that are always applied when using this API key.
          For more information, see [API parameters](/doc/api-reference/search-api-parameters).
        </ParamField>

        <ParamField body="filters" type="String">
          Filters that are always applied when using this API key.
        </ParamField>

        <ParamField body="validUntil" type="int">
          Timestamp when the API key expires,
          in seconds since the Unix epoch.
        </ParamField>

        <ParamField body="restrictIndices" type="[String]">
          Indices names that this API key can access.
          Use `*` as a wildcard, for example `dev_*` to allow all indices with names that start with `dev_`.
          When using replica indices, include them explicitly, or use wildcard patterns.
        </ParamField>

        <ParamField body="restrictSources" type="String">
          IP network range that is allowed to use this API key.
        </ParamField>

        <ParamField body="userToken" type="String">
          By default, rate limits are applied per IP address.
          If many users share an IP,
          add a user token to each generated API key to avoid incorrect rate limiting.
        </ParamField>
      </Expandable>
    </ParamField>
  </Tab>
</Tabs>
