Generate tenant tokens without a Meilisearch SDK

    This guide shows you the main steps when creating tenant tokens using node-jsonwebtoken, a third-party library.


    Generate a tenant token with jsonwebtoken

    Build the tenant token payload

    First, create a set of search rules:

      "INDEX_NAME": {
        "filter": "ATTRIBUTE = VALUE"

    Next, find your default search API key. Query the get an API key endpoint and inspect the uid field to obtain your API key's UID:

    curl \
      -X GET 'http://localhost:7700/keys/API_KEY' \
      -H 'Authorization: Bearer MASTER_KEY'

    For maximum security, you should also set an expiry date for your tenant tokens. The following example configures the token to expire 20 minutes after its creation:

    parseInt( / 1000) + 20 * 60

    Create tenant token

    First, include jsonwebtoken in your application. Next, assemble the token payload and pass it to jsonwebtoken's sign method:

    const jwt = require('jsonwebtoken');
    const apiKey = 'API_KEY';
    const apiKeyUid = 'API_KEY_UID';
    const currentUserID = 'USER_ID';
    const expiryDate = parseInt( / 1000) + 20 * 60; // 20 minutes
    const tokenPayload = {
      searchRules: {
        'INDEX_NAME': {
          'filter': `user_id = ${currentUserID}`
      apiKeyUid: apiKeyUid,
      exp: expiryDate
    const token = jwt.sign(tokenPayload, apiKey, {algorithm: 'HS256'});

    sign requires the payload, a Meilisearch API key, and an encryption algorithm. Meilisearch supports the following encryption algorithms: HS256, HS384, and HS512.

    Your tenant token is now ready to use.

    Using other libraries

    Though this example used jsonwebtoken, a Node.js package, you may use any JWT-compatible library in whatever language you feel comfortable.

    Make a search request using a tenant token

    After signing the token, you can use it to make search queries in the same way you would use an API key.

    curl \
      -X POST 'http://localhost:7700/indexes/patient_medical_records/search' \
      -H 'Authorization: Bearer TENANT_TOKEN'