Authentication
MeiliSearch uses a key-based authentication. There are three types of keys:
- The Master key grants access to all routes.
- The Private key grants access to all routes except the
/keys
routes. - The Public key only grants access to the following routes:
GET /indexes/:index_uid/search
POST /indexes/:index_uid/search
GET /indexes/:index_uid/documents
GET /indexes/:index_uid/documents/:doc_id
- Without any key, you can always access
GET /health
When a master key is provided to MeiliSearch, both the private and the public keys are automatically generated. You cannot create any additional keys.
Master Key
When launching an instance, you have the option of giving a master key. By doing so, all routes will be protected and will require a key to be accessed.
You can specify it by passing the MEILI_MASTER_KEY
environment variable, or using the command line argument --master-key
.
You can retrieve both the private and the public keys using the master key on the keys route.
No master key
If no master key is provided, all routes can be accessed without requiring any key.
API Key
If a master key is set, on each API call, a key must be added to the header.
If no or a wrong API key is provided in the header you will have no access to any route and you will receive theHTTP/1.1 403 Forbidden
status code.
Reset Key
Since both the private and the public keys are generated based on your master key, changing the master key will result in the modification of the two other keys.
After having changed your master key, it is mandatory to restart the MeiliSearch server to ensure the renewal of the private and the public keys.
All keys will be changed. Therefore, it is not possible to change only one of the keys.