Thanks for this. I was maybe using one of these keys until this morning. When I logged in at dashboard.algolia.com and went to Settings -> API Keys, I found that none of the keys (Search, Analytics, Usage, Monitoring) matched the key I was using on a frontend. I made a decent attempt looking for that old key anywhere in their admin panels and could not find it. poof!
So perhaps at some point, they were only giving admin keys (because I don't remember there being a choice; and I would think given the choice I'd make the right one) and when called out (or sometime prior) realized the problem and made a new Settings -> API Keys page. Currently on the page the first one listed is the Search Key, with the subtext "This is the public API key which can be safely used in your frontend code. This key is usable for search queries and it's also able to list the indices you've got access to."
pmdr
Twenty years ago every PHP website had search. We forgot how to do it.
show comments
dawnerd
Algolia really needs to make using the admin key less easy. I’ve almost copied it before when setting up a frontend. It should be tucked away and require auth to view.
profer602
This highlights a systemic problem: developers often prioritize speed of integration over security hygiene, especially when dealing with third-party services. The tradeoff is acceptable until it isn't. We need better tooling to automatically detect and flag these types of exposures before they make it to production.
show comments
stickynotememo
So why hasn't the HomeAssistant docs page been nuked yet?
netsharc
Man, talk about unnecessary graphs... ok graph 2 is maybe tolerable, although it's showing the popularity of the projects, not a metric of how many errors/vulnerabilities found in those projects.
I'm not a newspaper editor, but I think if this was an article for one, they'd also say the graphs are unnecessary. It smells of "I need some visual stuff to make this text interesting"...
the wildest part is algolia just not responding. you email them saying "hey 39 of your customers have admin keys in their frontend" and they ghost you? thats way worse than the keys themselves imo. like the whole point of docsearch is they manage the crawling FOR you, but then the "run your own crawler" docs basically hand you a footgun with zero guardrails. they could just... not issue admin-scoped keys through that flow
show comments
trrra
Is this aloglia's (or any provider) responsability or each individual integration ?
TechSquidTV
I have been developing an OpenClaw-like agent that automates exactly this type of attack.
show comments
fix4fun
Interesting how many people already are playing with these API keys ? ;)
toomuchtodo
Great write up. Reminder that if you commit these to a Github Gist and the provider partners with GitHub for secrets scanning, they’ll rapidly be invalidated.
Thanks for this. I was maybe using one of these keys until this morning. When I logged in at dashboard.algolia.com and went to Settings -> API Keys, I found that none of the keys (Search, Analytics, Usage, Monitoring) matched the key I was using on a frontend. I made a decent attempt looking for that old key anywhere in their admin panels and could not find it. poof!
So perhaps at some point, they were only giving admin keys (because I don't remember there being a choice; and I would think given the choice I'd make the right one) and when called out (or sometime prior) realized the problem and made a new Settings -> API Keys page. Currently on the page the first one listed is the Search Key, with the subtext "This is the public API key which can be safely used in your frontend code. This key is usable for search queries and it's also able to list the indices you've got access to."
Twenty years ago every PHP website had search. We forgot how to do it.
Algolia really needs to make using the admin key less easy. I’ve almost copied it before when setting up a frontend. It should be tucked away and require auth to view.
This highlights a systemic problem: developers often prioritize speed of integration over security hygiene, especially when dealing with third-party services. The tradeoff is acceptable until it isn't. We need better tooling to automatically detect and flag these types of exposures before they make it to production.
So why hasn't the HomeAssistant docs page been nuked yet?
Man, talk about unnecessary graphs... ok graph 2 is maybe tolerable, although it's showing the popularity of the projects, not a metric of how many errors/vulnerabilities found in those projects.
I'm not a newspaper editor, but I think if this was an article for one, they'd also say the graphs are unnecessary. It smells of "I need some visual stuff to make this text interesting"...
https://www.algolia.com/security.txt 404
the wildest part is algolia just not responding. you email them saying "hey 39 of your customers have admin keys in their frontend" and they ghost you? thats way worse than the keys themselves imo. like the whole point of docsearch is they manage the crawling FOR you, but then the "run your own crawler" docs basically hand you a footgun with zero guardrails. they could just... not issue admin-scoped keys through that flow
Is this aloglia's (or any provider) responsability or each individual integration ?
I have been developing an OpenClaw-like agent that automates exactly this type of attack.
Interesting how many people already are playing with these API keys ? ;)
Great write up. Reminder that if you commit these to a Github Gist and the provider partners with GitHub for secrets scanning, they’ll rapidly be invalidated.