How are you supposed to obfuscate the key in the Swift client?

[bnhoang2k]

In the README, you make a node, then use that node to create a config, then finally use that config to create a client. However, you can't even make the config without an apiKey; is there a way to get this key without embedding it in the source code?

It seems weird that you need the client to make an api key; but in order to make a client, you need an API key first!

Typesense Version: v1.0.0

[jasonbosco]

On Typesense Cloud, you can generate an API key in the UI to use in the client. When self-hosting, you want to use the bootstrap API key in the client or in curl requests, to generate subsequent keys.

[bnhoang2k]

That was the thing I was afraid of. I was trying to find a way to not embed the bootstrap key (or any key for that matter) into the source code of my iOS application to create other keys. I wanted to hide it.

Is there really no way around this?

[jasonbosco]

You would run the Typesense server on a remote server, start it with the bootstrap API key of your choice on that server. Then on the server, use the bootstrap API key with curl and the /keys API endpoint and generate a search api key and only use that generated api key in your client libraries.

That way you’re not exposing the bootstrap api key on the client side.

[bnhoang2k]

So what I'm hearing is make search api key, then embed that into my code? There's no way to hide it?

[jasonbosco]

For a mobile app, you want to have an API endpoint on your backend, with authenticates a user and then generates a short-lived restricted API key for that user and passes it to the app on login. That way the API key is not embedded inside your app, instead it's ephemeral and only stored in memory.

You can periodically rotate the key as needed in your backend, and invalidate the old one.