Algolia Places is closing. We can help.

API Keys

Introduction #

All requests require a valid API key. You may create as many API keys as you wish (e.g. one per project) and apply optional domain restrictions which is recommended for front-end usage (see Security).

Managing your keys #

You can manage your keys by logging into your account and visiting Settings > API Keys. Here you can add new keys, view existing keys and delete keys you no longer need.

Manage your keys

Security #

If using a front-end library such as Algolia's Autocomplete it's important to remember your key can be easily obtained as these are user-facing solutions. It is therefore recommended you put in place some limitations to prevent abuse:

Set a key expiry

When creating a key you can define how long until it expires and ceases to function. If unspecified or empty, this setting defaults to 'never expire'.

Restrict usage per IP

When creating a key you can define the maximum number of searches an IP address can peform per hour. If unspecified or empty, this setting defaults to 'no limit'.

Restrict usage to domains

When creating a key you can define a list of referrers / domains that are authorised to query the API with a given key. If unspecified or empty, this setting defaults to any referrer.

You can target referrers by matching a prefix or a suffix using the * wildcard, for example:

Restrict access to all referrers starting with https://example.com:

https://example.com/*
        

Restrict access to all referrers ending with .example.com:

*.example.com
        

Allow access for the full example.com domain:

*example.com/*
        

Referer and Origin headers
Some browsers intentionally remove the Referer and Origin headers from third-party requests. If you’re using a search API key with restrictions on the referrer, this will prevent users from searching on these browsers.

Important
PlacesAPI isn’t responsible for any third-party services you may use and it is your sole responsibility to follow security best practices (e.g. always using SSL, injecting keys via environment variables etc).

For further details please visit Algolia's guide to security best practices.