Open bnhoang2k opened 1 month ago
jasonbosco
commented
1 month ago On Typesense Cloud, you can generate an API key in the UI to use in the client. When self-hosting, you want to use the bootstrap API key in the client or in curl requests, to generate subsequent keys.
bnhoang2k
commented
1 month ago That was the thing I was afraid of. I was trying to find a way to not embed the bootstrap key (or any key for that matter) into the source code of my iOS application to create other keys. I wanted to hide it.
Is there really no way around this?
jasonbosco
commented
1 month ago You would run the Typesense server on a remote server, start it with the bootstrap API key of your choice on that server. Then on the server, use the bootstrap API key with curl and the /keys API endpoint and generate a search api key and only use that generated api key in your client libraries.
That way you’re not exposing the bootstrap api key on the client side.
bnhoang2k
commented
1 month ago So what I'm hearing is make search api key, then embed that into my code? There's no way to hide it?
jasonbosco
commented
1 month ago For a mobile app, you want to have an API endpoint on your backend, with authenticates a user and then generates a short-lived restricted API key for that user and passes it to the app on login. That way the API key is not embedded inside your app, instead it's ephemeral and only stored in memory.
You can periodically rotate the key as needed in your backend, and invalidate the old one.
In the README, you make a node, then use that node to create a config, then finally use that config to create a client. However, you can't even make the config without an apiKey; is there a way to get this key without embedding it in the source code?
It seems weird that you need the client to make an api key; but in order to make a client, you need an API key first!
Typesense Version: v1.0.0