---
title: Ensure that authentication enforces search hub values
slug: las95231
canonical_url: https://docs.coveo.com/en/las95231/
collection: tune-relevance
source_format: adoc
---
# Ensure that authentication enforces search hub values
Any [search interface](https://docs.coveo.com/en/2741/) that relies on the [Coveo Platform](https://docs.coveo.com/en/186/) regularly performs [authenticated](https://docs.coveo.com/en/2120/) HTTP requests against the [Search API](https://docs.coveo.com/en/13/) and [Usage Analytics Write API](https://docs.coveo.com/en/18/).
The most secure query [authentication](https://docs.coveo.com/en/2120/) method is [search token authentication](https://docs.coveo.com/en/1369#search-token-authentication).

You'll want to use this [authentication](https://docs.coveo.com/en/2120/) method when your search page [users](https://docs.coveo.com/en/250/) are [authenticated](https://docs.coveo.com/en/2120/) and some (or all) of the [items](https://docs.coveo.com/en/210/) in your [index](https://docs.coveo.com/en/204/) [have item-specific permissions](https://docs.coveo.com/en/1779#same-users-and-groups-as-in-your-content-system).
In this scenario, each user gets a unique [search token](https://docs.coveo.com/en/1346/), allowing the [search interface](https://docs.coveo.com/en/2741/) to return only the [items](https://docs.coveo.com/en/210/) that the [user](https://docs.coveo.com/en/250/) is allowed to see.

Both the [search token](https://docs.coveo.com/en/1369#search-token-authentication) and [API key](https://docs.coveo.com/en/1369#api-key-authentication) [authentication](https://docs.coveo.com/en/2120/) methods allow you to enforce a [search hub](https://docs.coveo.com/en/1342/) value, which protects the security of content that shouldn't be visible to everyone.

> **Important**
>
> In Coveo for Commerce scenarios, queries target the [Commerce API](https://docs.coveo.com/en/103/), which automatically enforces search hub values in queries based on the [commerce interface](https://docs.coveo.com/en/o4ue6279/) from which the query originates.
> 
> Therefore, when creating an API key or search token for authenticating requests from a Coveo-powered Commerce solution, ensure that the API key doesn't specify the [search hub](https://docs.coveo.com/en/1342/), as it's automatically set by the Commerce API.
> If your [index](https://docs.coveo.com/en/204/) contains sensitive content that shouldn't be visible to everyone, use [source-level permissions](https://docs.coveo.com/en/1779#same-users-and-groups-as-in-your-content-system) to secure your content instead of enforcing the [search hub](https://docs.coveo.com/en/1342/) value in the API key.
> 
> See [Authenticate commerce requests](https://docs.coveo.com/en/o8ld0051/) for more information.

## Example

Your Coveo-powered solution includes the following [search interfaces](https://docs.coveo.com/en/2741/):

[%header,cols="2"]
|===
|[search interface](https://docs.coveo.com/en/2741/) description
|[search hub](https://docs.coveo.com/en/1342/)

|A customer-facing community search page
|`ACMECommunitySearch`

|An internal support agent [Insight Panel](https://docs.coveo.com/en/2898/)
|`ACMEAgentInsightPanel`
|===

The `ACMECommunitySearch` [search interface](https://docs.coveo.com/en/2741/) provides public information that everyone can access, whereas the `ACMEAgentInsightPanel` [search interface](https://docs.coveo.com/en/2741/) also includes information that must only be visible to [authenticated](https://docs.coveo.com/en/2120/) [users](https://docs.coveo.com/en/250/) (support agents).

In your [Coveo organization](https://docs.coveo.com/en/185/), you create a distinct [query pipeline](https://docs.coveo.com/en/180/) using the recommended [condition-based query pipeline routing mechanism](https://docs.coveo.com/en/1666#condition-based-routing-recommended) for each [search interface](https://docs.coveo.com/en/2741/):

[%header,cols="3"]
|===
|[query pipeline](https://docs.coveo.com/en/180/) name
|Condition
|Filter expression

|Community search
|`when $searchHub is ACMECommunitySearch`
|`NOT @source==("salesforce-knowledge")`

|[Insight Panel](https://docs.coveo.com/en/2898/)
|`when $searchHub is ACMEAgentInsightPanel`
|
|===

The **Community Search** pipeline contains a filter [query pipeline rule](https://docs.coveo.com/en/236/) (`NOT @source==("salesforce-knowledge")`) that filters content that shouldn't be exposed to [users](https://docs.coveo.com/en/250/) that can access the `ACMECommunitySearch` [search interface](https://docs.coveo.com/en/2741/).

By enforcing the [search hub](https://docs.coveo.com/en/1342/) value in the [search token](https://docs.coveo.com/en/1346/) or API key, you ensure that all [queries](https://docs.coveo.com/en/231/) which originate from the `ACMECommunitySearch` [search interface](https://docs.coveo.com/en/2741/) are routed to the proper pipeline.

> **Warning**
>
> Don't use [query pipeline rules](https://docs.coveo.com/en/236/) to prevent the exposure of filtered content as we can't guarantee that such content will always be displayed only to the intended users.
> 
> For example, [items](https://docs.coveo.com/en/210/) from a [source](https://docs.coveo.com/en/246/) whose content is accessible to everyone (`"sourceVisibility": "SHARED"`) could be exposed if a Coveo administrator, unaware of the reason behind the [query pipeline rule](https://docs.coveo.com/en/236/), modifies or removes the [query pipeline rule](https://docs.coveo.com/en/236/).
> 
> If you still decide to configure filter rules to filter [secured](https://docs.coveo.com/en/2093/) content from a [search interface](https://docs.coveo.com/en/2741/), you should always base the filter rule on the [`cq`](https://docs.coveo.com/en/13#operation/searchUsingPost-cq) [query](https://docs.coveo.com/en/231/) parameter.

## Verify whether the search hub is enforced in the authentication method

> **Note**
>
> While the following procedure recommends enforcing the [`searchHub`](https://docs.coveo.com/en/56#searchhub-string-optional) parameter in the [search token](https://docs.coveo.com/en/1346/) for safer routing, you could also enforce the [`pipeline`](https://docs.coveo.com/en/56#pipeline-string-optional) parameter in the [search token](https://docs.coveo.com/en/1346/) to route [queries](https://docs.coveo.com/en/231/).

To comply with the recommended [query](https://docs.coveo.com/en/231/) [authentication](https://docs.coveo.com/en/2120/) method, you should verify the following:

### Step 1: Verify that your queries are properly routed

You should validate that your implementation uses the recommended [condition-based query pipeline routing mechanism](https://docs.coveo.com/en/1666#condition-based-routing-recommended):

. In the [Coveo Administration Console](https://docs.coveo.com/en/183/), access the [**Query Pipelines**](https://platform.cloud.coveo.com/admin/#/orgid/search/pipelines/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/search/pipelines/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/search/pipelines/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/search/pipelines/)) page.

. In the table, every [query pipeline](https://docs.coveo.com/en/180/) should have a `[searchHub](https://docs.coveo.com/en/1342/)`-based condition except for the **Default** one.
For example, `Search Hub is MySearchHub`.

If your [queries](https://docs.coveo.com/en/231/) aren't routed using this mechanism, see [Condition-based routing (recommended)](https://docs.coveo.com/en/1666#condition-based-routing-recommended) for instructions.

> **Important**
>
> Always use positive [operators](https://docs.coveo.com/en/1959#operators) (for example, `is`, `contains`, or `matches`) when creating a condition that aims at routing the queries originating from a specific search interface to a given query pipeline.

### Step 2: Validate that the search hub is enforced in the authentication

In a Coveo-powered solution, each distinct [search interface](https://docs.coveo.com/en/2741/) should be identified by its own unique [search hub](https://docs.coveo.com/en/1342/) value (see [Set the Search Hub](https://docs.coveo.com/en/365#set-the-search-hub)).

This [search hub](https://docs.coveo.com/en/1342/) value should be enforced in the [search token](https://docs.coveo.com/en/1346/) or API key to ensure that [queries](https://docs.coveo.com/en/231/) are routed to the proper [query pipeline](https://docs.coveo.com/en/180/).

The procedure varies depending on whether you're using [search token](https://docs.coveo.com/en/1346/) or API key authentication:

* [Search token authentication](https://docs.coveo.com/en/las95231#search-token-authentication)

* [API key authentication](https://docs.coveo.com/en/las95231#api-key-authentication)

#### Search token authentication

. In your browser, open your developer tools, and then select the **Network** tab.

. Access the [search interface](https://docs.coveo.com/en/2741/) that you want to test.

. Trigger a search request from the [search interface](https://docs.coveo.com/en/2741/).
If the [search interface](https://docs.coveo.com/en/2741/) has an input that can provide [query](https://docs.coveo.com/en/231/) suggestions, such as a search box, you should test both [query](https://docs.coveo.com/en/231/) and [query](https://docs.coveo.com/en/231/) suggestion requests.

. In your browser tools, search for a POST request made against a Coveo search endpoint.
For example, you can use a filter such as `cloud.coveo.com/rest/search`.

. In the request headers, search for the `Authorization` header.

. Copy the value of the `Authorization` header (the token), and then use a JSON web token decoder such as [JWT](https://jwt.io/) to decode the [search token](https://docs.coveo.com/en/1346/).

. In the decoded payload, search for the [`searchHub`](https://docs.coveo.com/en/56#searchhub-string-optional) parameter.

If the `[searchHub](https://docs.coveo.com/en/1342/)` parameter is in the [search token](https://docs.coveo.com/en/1346/), it means that this [search hub](https://docs.coveo.com/en/1342/) is enforced through the [search token](https://docs.coveo.com/en/1346/).
If you don't see the `[searchHub](https://docs.coveo.com/en/1342/)` parameter, enforce the [`searchHub`](https://docs.coveo.com/en/56#searchhub-string-optional) parameter in the [search token](https://docs.coveo.com/en/1346/).
See [Search token authentication](https://docs.coveo.com/en/56/) for instructions.

#### API key authentication

If you're using [API key authentication](https://docs.coveo.com/en/105/), you can verify if a [search hub](https://docs.coveo.com/en/1342/) value is enforced in the API key directly in the [Coveo Administration Console](https://docs.coveo.com/en/183/):

. On the [**API Keys**](https://platform.cloud.coveo.com/admin/#/orgid/organization/api-access/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/organization/api-access/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/organization/api-access/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/organization/api-access/)) page, click the desired API key, and then click **Edit** in the Action bar.

. On the subpage that opens, select the **Privileges** tab, and then, in the menu on the left, click **Search**.

. Scroll down to the bottom of the list of [privileges](https://docs.coveo.com/en/228/).
If your API key has been granted [privileges](https://docs.coveo.com/en/228/) that warrant limiting its scope to a [search hub](https://docs.coveo.com/en/1342/), a section appears to let you select a [search hub](https://docs.coveo.com/en/1342/).

![Search hub in API key | Coveo](https://docs.coveo.com/en/assets/images/tune-relevance/search-hub-api-key.png)

If you see a [search hub](https://docs.coveo.com/en/1342/) value in the **Limit the API key scope** section, it means that this [search hub](https://docs.coveo.com/en/1342/) is enforced in the API key.
If no value is present, enforce a [search hub](https://docs.coveo.com/en/1342/) in this API key if a [query pipeline](https://docs.coveo.com/en/180/) has this [search hub](https://docs.coveo.com/en/1342/) as a [query pipeline condition](https://docs.coveo.com/en/2793/).
See [Create an API key](https://docs.coveo.com/en/1718#create-an-api-key) for instructions.

> **Important**
>
> While it's usually recommended to enforce the [search hub](https://docs.coveo.com/en/1342/) value in the API key to protect the security of content that shouldn't be visible to everyone, this isn't required for Coveo for Commerce solutions, since products are typically accessible to all visitors.
> 
> This can be done by setting the parameter to an empty string: `Search hub is ""`.
> 
> ![Empty string in Commerce API key | Coveo](:https://docs.coveo.com/en/assets/images/coveo-for-commerce/images/api-key-commerce.png)
> 
> See [Authenticate commerce requests](https://docs.coveo.com/en/o8ld0051/) for details.
> 
> If your [index](https://docs.coveo.com/en/204/) contains sensitive content that shouldn't be visible to everyone, use [source-level permissions](https://docs.coveo.com/en/1779#same-users-and-groups-as-in-your-content-system) to secure your content instead of enforcing the [search hub](https://docs.coveo.com/en/1342/) value in the API key.