Document how to create API key with only necessary access

[aaronadamsCA]

From the Algolia docs:

Admin API key

Your Admin API key is your most sensitive key, and should remain confidential. It provides full control of all your indices and data. You should only use your Admin API to generate other, more limited API keys for searching and performing indexing operations. You should never share it with anyone, including our support team.

You must never use your Admin API key in any application. Its role is to generate other, more limited keys to use for searching and performing indexing operations.

I'd like to see the docs for this plugin (and the corresponding Gatsby tutorial) updated to follow this best practice. Specifically, tell the user how to create a more limited API key, and list the operations a user would need to grant to the key.

Thanks, great plugin so far 👍

[Haroenv]

Good point, the ACL needed is addObject, deleteObject, browse, deleteIndex, and editSettings. You can do this via the dashboard or via client.addApiKey. The readme here and the guide on Gatsby indeed should be updated.

Since it's Hacktoberfest, is this something you're interested in making a PR for?

[aaronadamsCA]

Thanks for the quick response! I landed on "browse", "addObject", "deleteObject", "settings", "editSettings". Can you confirm whether I actually need to give "deleteIndex" as well? It just seems like a lot of destructive power for an indexing key to have.

[aaronadamsCA]

Since it's Hacktoberfest, is this something you're interested in making a PR for?

Maybe later in October 🙂 I will save it for later when I've got time, but in the meantime if anyone wants to take this, go for it!

[Haroenv]

ah you're right, deleteIndex isn't needed. I thought moveIndex used that ACL but it uses addObject (see https://www.algolia.com/doc/api-reference/api-methods/move-index/)

settings is a subset of editSettings IIRC