API Keys - Page

A developer may need an API key carrying specific privileges and optionally IP restrictions to allow a process to interact with your Coveo™ Cloud organization APIs (see Coveo Cloud Platform API).

  • A developer deploying a search interface that shows only publicly available content can ask for an API key to include in the search interface to authorize the interface to send queries and get results from your Coveo Cloud organization.

  • A developer deploying an on-premises crawler can ask for an API key to include in the crawler to authorize the crawler to use the push API to add content to a source (see Push API Usage Overview).

  • A developer asks for an API key to be able to start a source refresh from the API following the update of the content in the original indexed system.

An API key must typically be used only in server-side software processes where only a limited number of authorized people can see the API key. This is particularly important when the API key carries sensitive privileges that could be exploited by malicious users (see Privileges). Communicate API keys only to legitimate stakeholders through secured channels.

You can legitimately include an API key in client-side code, but only when it is limited to the following privileges:

  • For the Execute queries privilege, select the Enable checkbox.

    Allows to send queries and receive search results only for content that is indexed to be available anonymously.

  • For the Analytics data privilege, select the Edit checkbox.

    Allows to push usage analytics events.

Legitimate cases to use the above limited privilege API key in client-side code are:

Do not use an API Key for a search interface in which authenticated users can find secured content. In such case, your search interface must rather use a search token that is generated for each user. Otherwise search results return only anonymously accessible content. A developer must set up a server-side mechanism to generate the search tokens using an API key (see Search Token Authentication).