Use search token authentication
Use search token authentication
This is for:
Developersearch tokens are special JSON web tokens that can be used to execute queries and send usage analytics events as a specific user. They’re intended to be used in JavaScript code running in a web browser, typically along with Coveo Headless, Coveo Atomic, or the Coveo JavaScript Search Framework.
By default, search tokens automatically expire after 24 hours.
You can generate search tokens in server-side code by calling a REST service exposed through the Coveo Platform.
Typically, you’ll want to use search token authentication when your search page users are authenticated and some (or all) of the items in your index are secured. In this scenario, each user gets a unique search token, allowing the search interface to securely return only the items that the user is allowed to see.
The examples on this page use the standard Coveo endpoint ( If your organization is multi-region, has data residency outside the US, or is HIPAA-compliant, you must instead use the relevant endpoint. |
Sample usage workflow
Here’s a typical workflow demonstrating the use of search tokens:
-
A user requests a Coveo-powered search interface from a web server.
-
The web server executes server-side code that eventually renders the HTML response (PHP, ASP.NET, and so on).
-
Server-side code authenticates the user who is making the request.
-
Server-side code calls a REST service exposed through the Coveo Platform to get a search token for the authenticated user.
-
The search token is used to generate the JavaScript code that initializes the Coveo-powered search interface.
-
The server sends the generated HTML to the client.
-
The JavaScript code initializes the search interface and executes the first query, using the provided search token.
-
The Coveo Platform executes the query as the user impersonated by the search token.
-
Results are displayed to the user.
Node.js example
You could implement a Node.js Express middleware function and application to serve a Coveo-powered search interface configured with a valid search token.
Here’s a middleware function that requests a search token for the authenticated user:
// ./middlewares.js
"use strict"
const request = require("request");
module.exports = {
getSearchToken: (req, res, next) => {
const postData = {
userIds: MY_USERS.map(user => {
return { name: user, provider: "Email Security Provider" }
}),
searchHub: "<MY_SEARCH_HUB>",
filter: "<MY_FILTER_EXPRESSION>"
};
request(
"https://<ORG_ID>.org.coveo.com/rest/search/v2/token?organizationId=<ORG_ID>",
{
auth: { bearer: "<MY_API_KEY>" },
json: true,
method: "POST",
body: postData
},
(error, response, body) => {
if (error) {
next(error);
} else if (response.statusCode != 200) {
next(JSON.stringify(res, null, 2));
} else {
req.token = body.token;
next();
}
}
);
}
}
Replace MY_USERS , <MY_SEARCH_HUB> , and <MY_FILTER_EXPRESSION> . |
|
Replace <ORG_ID> and <MY_API_KEY> .
You may also need to use a different endpoint, depending on your organization. |
The following application calls the preceding middleware function when the /
route is requested, and passes the generated search token to the template to render:
// ./index.js
"use strict"
const express = require("express");
const app = express();
const middlewares = require("./middlewares.js");
app.set("view engine", "ejs");
app.get("/", middlewares.getSearchToken, (req, res) => {
res.render("index", {
token: req.token
});
});
app.listen(3000);
The search endpoint must then be configured with the token before serving the page.
To initialize a Headless search interface, see the Headless usage documentation.
To initialize an Atomic search interface, see the Atomic usage documentation.
The following is a basic template for a JavaScript Search Framework-powered search page:
<!-- ./views/index.ejs -->
<!DOCTYPE html>
<html lang="en">
<head>
<script class="coveo-script" src="https://static.cloud.coveo.com/searchui/v2.10120/js/CoveoJsSearch.Lazy.min.js"></script>
<link rel="stylesheet" href="https://static.cloud.coveo.com/searchui/v2.10120/css/CoveoFullSearch.css" />
<script src="https://static.cloud.coveo.com/searchui/v2.10120/js/templates/templates.js"></script>
<script>
document.addEventListener("DOMContentLoaded", () => {
Coveo.SearchEndpoint.configureCloudV2Endpoint(
"<ORG_ID>",
"<MY_SEARCH_TOKEN>"
);
Coveo.init(document.getElementById("search"));
})
</script>
</head>
<body id="search" class="CoveoSearchInterface">
<!-- ... -->
<div class="CoveoAnalytics"></div>
<div class="coveo-search-section">
<div class="CoveoSearchbox"></div>
</div>
<div class="coveo-main-section">
<div class="CoveoResultList"></div>
</div>
<!-- ... -->
</body>
</html>
If you have a HIPAA-compliant organization, you must modify your initialization code. |
If the requested page includes a Coveo In-Product Experience (IPX) interface, the token must be injected into the loader script URL as the value of the access_token
query parameter.
The following is a basic template for a page that includes an IPX interface:
<!-- ./views/index.ejs -->
<!DOCTYPE html>
<html lang="en">
<head>
<!-- ... -->
<!-- Coveo In-Product Experience -->
<script type="text/javascript" src="https://platform.cloud.coveo.com/rest/organizations/mycoveoorganization/pages/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/inappwidget/loader?access_token=<%- token %>" async ></script>
<!-- End Coveo In-Product Experience -->
<!-- ... -->
</head>
<body>
<!-- ... -->
</body>
</html>
Request a search token
To request a search token, make a POST
request to https://<ORG_ID>.org.coveo.com/rest/search/v2/token
.
To test the service on the Coveo Platform, use the Swagger UI.
The caller must authenticate using an API key with the Search > Impersonate: Allowed privilege.
If you’re using an API key that enforces a specific search hub value, you won’t have to specify a searchHub
value in the request parameter when creating the search token, as it will enforce the same value as the one in the API key.
Never expose an API key with the Allowed access level on the Impersonate domain in client-side code. Always request search tokens in secure, server-side code. |
Sample request
POST https://myexamplecom.org.coveo.com/rest/search/v2/token?organizationId=myexamplecom HTTP/1.1
Content-Type: application/json
Accept: application/json
Authorization: Bearer **********-****-****-****-************
Payload:
{
"userIds": [
{
"name": "asmith@example.com",
"provider": "Email Security Provider",
"type": "User"
}
]
}
Successful response
200 OK
{
"token": "fzKjcHdjPJKJVaJ2OjK0fzK2CI6dHJ1ZSwiZXhwIjoxNDY4Njk2NzEwLCJpYXQiOjE0lQGN..."
}
Request body properties
The The Don’t specify your own values for these attributes. They’re either intended for internal use by Coveo or exposed for legacy compatibility. |
The body of a POST
request to the /rest/search/v2/token
route has the following properties:
userIds
(array of RestUserId
, required)
The security identities to impersonate when authenticating a query with this search token.
name
(string, required)
The name of the security identity to impersonate.
This value can also be used in query pipeline condition statements (for example, when $identity is "asmith@example.com"
).
See Manage query pipeline conditions for more details.
Example: asmith@example.com
Leading practice
When generating a search token for a non-authenticated user, use Doing so will automatically set the |
provider
(string, required)
The security identity provider containing the security identity to impersonate.
Example: Email Security Provider
type
(string, optional)
The type of the security identity to impersonate.
Default: User
Allowed values:
-
User
-
Group
-
VirtualGroup
-
Unknown
dictionaryFieldContext
(object, optional)
The dictionary field context to enforce when authenticating a query with this search token.
This value will override the dictionaryFieldContext
parameter of the query itself.
A dictionary field context is a key-value store in which each pair corresponds to the name of a dictionary field to query, along with the key to target within that field.
For example, suppose that in your index, the @price
dictionary field contains different values for its storeA
and storeB
keys.
Including "dictionaryFieldContext": { "price": "storeA" }
when creating a search token means that, for any query made with that search token, any part of the query expression that targets the @price
field will in fact only query the storeA
values of that field.
filter
(string, optional)
The search result filter to apply when authenticating a query with this search token.
This query expression will be merged with the constant part of the query expression (cq
) using an AND
operator.
The filter
can also be used in query pipeline condition statements (for example, when $constantQuery contains "@source==KnowledgeBase"
).
See Manage query pipeline conditions for more details.
Example: @source==KnowledgeBase
Leading practice
Enforcing a A more flexible, albeit less secure, approach is to define query pipeline filter rules. Depending on your needs, either query filtering approach can be legitimate. However, you should stick to the same approach for all search interfaces across your solution. |
filter
sample call
Here’s the body of a search token creation call in which you specify a cq:
{
"filter": "@source==KnowledgeBase",
"userIds": [
{
"name": "asmith@example.com",
"provider": "Email Security Provider"
}
]
}
pipeline
(string, optional)
The name of the query pipeline to use when authenticating a query with this search token.
This query pipeline will take precedence over the possible output of all other query pipeline routing mechanisms when using this search token.
Unless you specify a queryPipeline
parameter when logging search or click events, the UA service will use the pipeline
value defined in the search token.
Example: InternalSearch
Leading practice
Rather than enforcing a |
pipeline
sample call
Here’s the body of a search token creation call in which you specify an enforced query pipeline:
{
"pipeline": "InternalSearch",
"userIds": [
{
"name": "asmith@example.com",
"provider": "Email Security Provider"
}
]
}
searchHub
(string, optional)
The name of the search hub to enforce when authenticating a query with this search token.
This value will override the searchhub
parameter of the query itself, and will be passed as the originLevel1
property value when logging Coveo UA search events.
The search hub can also be used in query pipeline condition statements (for example, when $searchHub is "CommunityHub"
).
See Manage query pipeline conditions for more details.
Example: SupportHub
Leading practice
Ideally, you should enforce the However, this isn’t required for search tokens that are used in Coveo for Commerce solutions. See Authenticate commerce requests for more information. |
searchHub
sample call
Here’s the body of a search token creation call in which you specify an enforced search hub:
{
"searchHub": "SupportHub",
"userIds": [
{
"name": "asmith@example.com",
"provider": "Email Security Provider"
}
]
}
userDisplayName
(string, optional)
The userDisplayName
to pass when logging Coveo UA search events.
This information is leveraged in the Analytics section of the Coveo Administration Console.
Example: Alice Smith
userDisplayName
sample call
Here’s the body of a search token creation call in which you specify the user display name:
{
"userDisplayName": "Alice Smith",
"userIds": [
{
"name": "asmith@example.com",
"provider": "Email Security Provider"
}
]
}
userGroups
(array of strings, optional)
The userGroups
to pass when logging Coveo UA search events.
This information is leveraged in the Analytics section of the Coveo Administration Console.
User groups can be also be used in query pipeline condition statements (for example, when $groups contains "Employees"
).
See Manage query pipeline conditions for more details.
Example: ["Tech support agents", "Employees"]
userGroups
sample call
Here’s the body of a search token creation call in which you specify user groups:
{
"userGroups": [
"Tech support agents",
"Employees"
],
"userIds" : [
{
"name": "asmith@example.com",
"provider": "Email Security Provider"
}
]
}
validFor
(integer, optional)
The number of milliseconds the search token will remain valid for once it has been created.
Minimum value: 900000
(that is, 15 minutes)
Maximum/default: 86400000
(that is, 24 hours)
validFor
sample call
Here’s the body of a search token creation call in which you specify the expiration time:
{
"validFor": 3600000,
"userIds": [
{
"name": "asmith@example.com",
"provider": "Email Security Provider"
}
]
}
Renew expired search tokens
By default, a search token expires after 24 hours. If a user opens a page that’s authenticated with a search token and doesn’t reload it for this length of time, the Search API will respond with the following error:
419 - Page Expired
{
"message": "Expired token",
"statusCode": 419,
"type": "ExpiredTokenException"
}
If the search page is also configured to send UA events, the UA Write API will respond with the following error:
400 - Bad Request
{
"message": "The provided token is not a valid token.",
"type": "InvalidToken"
}
You can usually renew expired search tokens automatically.[1]
In Headless, you can use the renewAccessToken
option when you configure your engine.
In Atomic, you can use the renewAccessToken
option when you initialize the atomic-search-interface
component.
In the JavaScript Search Framework, you need to specify a renewAccessToken
function when configuring the search endpoint to use for your interface.
The JavaScript Search Framework will call this function whenever a Search API or Coveo UA Write API request returns the 419 - Page Expired
HTTP status code.
It will then reconfigure your search endpoint with the renewed token.
Note
The |
// index.ejs
document.addEventListener("DOMContentLoaded", () => {
const renewToken = () => {
// Granted that the call returns the search token in text/plain.
return fetch("https://example.com/token").then((response) => {
return response.text();
});
}
Coveo.SearchEndpoint.configureCloudV2Endpoint(
"mycoveoorganization",
"<%- token %>",
"https://mycoveoorganization.org.coveo.com/rest/search/",
{
renewAccessToken: renewToken
}
);
Coveo.init(document.body);
})