API Key Authentication
The simplest way to authenticate HTTP requests made from a Coveo Platform-powered search interface is to pass an API key as a bearer token in the
Authorization header of each Search API and Usage Analytics Write API call. Using the API key authentication method can be legitimate in a public search interface that only queries non-secured content. If your search interface can query secured content, you must implement the search token authentication method instead.
API key authentication requires you to expose an API key in client-side code. Anyone can use an exposed API key outside of its intended context. As such, an exposed API key should only grant minimal privileges in your Coveo organization.
In particular, be careful to never publicly expose an API key granting the Allowed access level on the Impersonate domain. An API key granting this privilege should only be used when implementing the search token authentication method, and should be safely stored in server-side code.
Typically, publicly exposing an API key that only grants the Allowed access level on the Execute Queries domain, and the Push access level on the Analytics Data domain is no concern, as all one can do with such a key is query publicly available content in an index, and anonymously log events to Coveo Usage Analytics (Coveo UA).
const organizationId = 'mycoveoorganization'; const apiKey = '**********-****-****-****-************'; Coveo.SearchEndpoint.configureCloudV2Endpoint(organizationId, apiKey)
Whenever an end user performs an action that triggers a Search API or Usage Analytics Write API call in this search page, the framework automatically sets the
Authorization HTTP header using that API key.
To configure a search endpoint targeting a Coveo Cloud V1 organization, you would use the
SearchEndpoint.configureCloudEndpoint method instead.