This article explains the main usage differences between the two types of security keys in Meilisearch: master key and API keys.
Master key
The master key grants full control over an instance and is the only key with access to endpoints for creating and deleting API keys by default. Since the master key is not an API key, it cannot be configured and listed through the /keys endpoints.
Use the master key to create, update, and delete API keys. Do not use it for other operations.
Consult the basic security tutorial to learn more about correctly handling your master key.
Exposing the master key can give malicious users complete control over your Meilisearch project. To minimize risks, only use the master key when managing API keys.
API keys
API keys grant access to a specific set of indexes, routes, and endpoints. You can also configure them to expire after a certain date. Use the /keys route to create, configure, and delete API keys.
Use API keys for all API operations except API key management. This includes search, configuring index settings, managing indexes, and adding and updating documents.
In many cases, the default API keys are all you need to safely manage your Meilisearch project:
- Use the
Default Search API Key for search operations from the frontend
- Use the
Default Admin API Key to configure index settings, add documents, and other operations. Do not expose it on a public frontend
- Use the
Default Read-Only Admin API Key for read-only access to all indexes, documents, and settings. Do not expose it on a public frontend
- Use the
Default Chat API Key for conversational search. It can be safely used from the frontend
