API Key Authentication

The simplest way to authenticate HTTP requests made from a Coveo Platform-powered search interface is to pass an API key as a bearer token in the Authorization header of each Search API and Usage Analytics Write API call. Using the API key authentication method can be legitimate in a public search interface that only queries non-secured content. If your search interface can query secured content, you must implement the search token authentication method instead.

API key authentication requires you to expose an API key in client-side code. Anyone can use an exposed API key outside of its intended context. As such, an exposed API key should only grant minimal privileges in your Coveo organization.

In particular, be careful to never publicly expose an API key granting the Allowed access level on the Impersonate domain. An API key granting this privilege should only be used when implementing the search token authentication method, and should be safely stored in server-side code.

Typically, publicly exposing an API key that only grants the Allowed access level on the Execute Queries domain, and the Push access level on the Analytics Data domain is no concern, as all one can do with such a key is query publicly available content in an index, and anonymously log events to Coveo Usage Analytics (Coveo UA).

  • Coveo organization administrators can manage API keys on their own (see Manage API Keys).
  • To request an API key for a Coveo Cloud V1 organization, you must contact Coveo Support.

In a public Coveo JavaScript Search Framework search page, you implement API key authentication by configuring your search endpoint using an API key that only grants the privileges to execute queries and push usage analytics events in your Coveo organization (see the SearchEndpoint.configureCloudV2Endpoint method).

const organizationId = 'mycoveoorganization';
const apiKey = '**********-****-****-****-************';
Coveo.SearchEndpoint.configureCloudV2Endpoint(organizationId, apiKey)

Whenever an end user performs an action that triggers a Search API or Usage Analytics Write API call in this search page, the framework automatically sets the Authorization HTTP header using that API key.

To configure a search endpoint targeting a Coveo Cloud V1 organization, you would use the SearchEndpoint.configureCloudEndpoint method instead.

What's Next for Me?