Access keys

Safely allow searches directly from web and mobile.

Access keys allow you to authenticate requests to the Firesearch API without revealing your FIRESEARCH_API_KEY.

Security strategy

If your searches happen backend to backend, then you do not need to use Access keys. You can just use the X-API-Key approach described in the Security guide.

To allow web and mobile clients to access the Firesearch API you need to use the AccessKeyService.GenerateKey method to generate Access keys.

You should generate Access keys on the backend, and pass them in a seucre and authenticated way to your clients.

Clients may then call the IndexService.Search and AutocompleteService.Complete methods (setting the AccessKey field) without passing the X-API-Key header.

Create an Access key

To create an Access key in backend code, use the AccessKeyService.GenerateKey method.

You will pass a request that looks like this:

The indexPathPrefix indicates which indexes the client will have access to.

For example, if you have two indexes per customer, firesearch/customers/123/indexes/movie-search and firesearch/customers/123/indexes/music-search—you can generate a single customer-specific Access key by specifying the IndexPathPrefix as firesearch/customers/123/indexes.

You will recieve the key in the response:

Expiration

For security reasons, Access Keys expire after 24 hours. You should refresh them from time to time.

For example, you could generate a new Access Key whenever the user signs in.