Generate tenant tokens without a Meilisearch SDK

This guide shows you the main steps when creating tenant tokens using node-jsonwebtoken, a third-party library.

• a working Meilisearch project
• a JavaScript application supporting authenticated users
• jsonwebtoken v9.0

First, create a set of search rules:

{
  "INDEX_NAME": {
    "filter": "ATTRIBUTE = VALUE"
  }
}

Next, find your default search API key. Query the get an API key endpoint and inspect the uid field to obtain your API key's UID:

curl \
  -X GET 'http://localhost:7700/keys/API_KEY' \
  -H 'Authorization: Bearer MASTER_KEY'

For maximum security, you should also set an expiry date for your tenant tokens. The following example configures the token to expire 20 minutes after its creation:

parseInt(Date.now() / 1000) + 20 * 60

First, include jsonwebtoken in your application. Next, assemble the token payload and pass it to jsonwebtoken's sign method:

const jwt = require('jsonwebtoken');

const apiKey = 'API_KEY';
const apiKeyUid = 'API_KEY_UID';
const currentUserID = 'USER_ID';
const expiryDate = parseInt(Date.now() / 1000) + 20 * 60; // 20 minutes

const tokenPayload = {
  searchRules: {
    'INDEX_NAME': {
      'filter': `user_id = ${currentUserID}`
     }
  },
  apiKeyUid: apiKeyUid,
  exp: expiryDate
};

const token = jwt.sign(tokenPayload, apiKey, {algorithm: 'HS256'});

sign requires the payload, a Meilisearch API key, and an encryption algorithm. Meilisearch supports the following encryption algorithms: HS256, HS384, and HS512.

Your tenant token is now ready to use.

After signing the token, you can use it to make search queries in the same way you would use an API key.

curl \
  -X POST 'http://localhost:7700/indexes/patient_medical_records/search' \
  -H 'Authorization: Bearer TENANT_TOKEN'