This tutorial will show you how to secure your Meilisearch project. You will see how to manage your master key and how to safely send requests to the Meilisearch API using an API key.
Creating the master key
The master key is the first and most important step to secure your Meilisearch project.
Creating the master key in Meilisearch Cloud
Meilisearch Cloud automatically generates a master key for each project. This means Meilisearch Cloud projects are secure by default.
You can view your master key by visiting your project settings, then clicking “API Keys” on the sidebar:
Creating the master key in a self-hosted instance
To protect your self-hosted instance, relaunch it using the --master-key command-line option or the MEILI_MASTER_KEY environment variable:
The master key must be at least 16-bytes-long and composed of valid UTF-8 characters. Use one of the following tools to generate a secure master key:
Meilisearch will launch as usual. The start up log should include a message informing you the instance is protected:
If you supplied an insecure key, Meilisearch will display a warning and suggest you relaunch your instance with an autogenerated alternative:
Obtaining API keys
When your project is protected, Meilisearch automatically generates four API keys: Default Search API Key, Default Admin API Key, Default Read-Only Admin API Key, and Default Chat API Key. API keys are authorization tokens designed to safely communicate with the Meilisearch API.
Obtaining API keys in Meilisearch Cloud
Find your API keys by visiting your project settings, then clicking “API Keys” on the sidebar:
Obtaining API keys in a self-hosted instance
Use your master key to query the /keys endpoint to view all API keys in your instance:
Only use the master key to manage API keys. Never use the master key to perform searches or other common operations.
Meilisearch’s response will include at least the default API keys:
Sending secure API requests to Meilisearch
Now you have your API keys, you can safely query the Meilisearch API. Add API keys to requests using an Authorization bearer token header.
Use the Default Admin API Key to perform sensitive operations, such as creating a new index:
Then use the Default Search API Key to perform search operations in the index you just created:
Admin API keys
Meilisearch provides two admin API keys for managing your instance:
- The
Default Admin API Key grants full access to all Meilisearch operations except API key management. Use it to configure index settings, add documents, and perform other administrative tasks.
- The
Default Read-Only Admin API Key allows read-only access to the whole database. Use it when you need to retrieve information from your Meilisearch instance without being able to modify it.
Do not expose admin API keys on a public frontend.
Chat API key
The Default Chat API Key is designed for frontend usage with conversational search. It has access to both search and chatCompletions actions, allowing users to both perform searches and interact with the chat completions feature.
Conclusion
You have successfully secured Meilisearch by configuring a master key. You then saw how to access the Meilisearch API by adding an API key to your request’s authorization header.