Skip to main content
This tutorial will show you how to secure your Meilisearch project. You will see how to manage your master key and how to safely send requests to the Meilisearch API using an API key.

Creating the master key

The master key is the first and most important step to secure your Meilisearch project.

Creating the master key in Meilisearch Cloud

Meilisearch Cloud automatically generates a master key for each project. This means Meilisearch Cloud projects are secure by default. You can view your master key by visiting your project settings, then clicking “API Keys” on the sidebar:
An interface element named 'API keys' showing obscured security keys including: 'Master key', 'Default Search API Key', and 'Default Admin API Key'

Creating the master key in a self-hosted instance

To protect your self-hosted instance, relaunch it using the --master-key command-line option or the MEILI_MASTER_KEY environment variable:
The master key must be at least 16-bytes-long and composed of valid UTF-8 characters. Use one of the following tools to generate a secure master key:
Meilisearch will launch as usual. The start up log should include a message informing you the instance is protected:
If you supplied an insecure key, Meilisearch will display a warning and suggest you relaunch your instance with an autogenerated alternative:

Obtaining API keys

When your project is protected, Meilisearch automatically generates four API keys: Default Search API Key, Default Admin API Key, Default Read-Only Admin API Key, and Default Chat API Key. API keys are authorization tokens designed to safely communicate with the Meilisearch API.

Obtaining API keys in Meilisearch Cloud

Find your API keys by visiting your project settings, then clicking “API Keys” on the sidebar:
An interface element named 'API keys' showing three obscured keys: 'Master key', 'Default Search API Key', and 'Default Admin API Key'

Obtaining API keys in a self-hosted instance

Use your master key to query the /keys endpoint to view all API keys in your instance:
Only use the master key to manage API keys. Never use the master key to perform searches or other common operations.
Meilisearch’s response will include at least the default API keys:

Sending secure API requests to Meilisearch

Now you have your API keys, you can safely query the Meilisearch API. Add API keys to requests using an Authorization bearer token header. Use the Default Admin API Key to perform sensitive operations, such as creating a new index:
Then use the Default Search API Key to perform search operations in the index you just created:

Admin API keys

Meilisearch provides two admin API keys for managing your instance:
  • The Default Admin API Key grants full access to all Meilisearch operations except API key management. Use it to configure index settings, add documents, and perform other administrative tasks.
  • The Default Read-Only Admin API Key allows read-only access to the whole database. Use it when you need to retrieve information from your Meilisearch instance without being able to modify it.
Do not expose admin API keys on a public frontend.

Chat API key

The Default Chat API Key is designed for frontend usage with conversational search. It has access to both search and chatCompletions actions, allowing users to both perform searches and interact with the chat completions feature.

Conclusion

You have successfully secured Meilisearch by configuring a master key. You then saw how to access the Meilisearch API by adding an API key to your request’s authorization header.