Algolia admin API key leaked: rotate now, never use it client-side
Your Algolia admin API key may be exposed. Here is the fastest possible recovery — three steps, no theory.
Step 01
Algolia Dashboard → API Keys → click the admin key → Reset (creates a new key, kills the old).
Step 02
Update your server env vars and any indexing job credentials.
Step 03
Switch any client-side search code to use a Search-only key (or Secured API Key) instead.
Step 01 — Revoke
Kill the leaked credential first
Account → API Keys → "Admin API Key" row → click "Reset". Confirm. The old key dies instantly. Never use the new admin key in browser code — generate a search-only or secured key for that.
Open Algolia API keysStep 02 — Rotate
Update the new key in the right place
Server-side env vars only — never in client code, never with NEXT_PUBLIC_.
// Server (admin):
const adminClient = algoliasearch(appId, process.env.ALGOLIA_ADMIN_KEY!);
// Client (search-only — safe to ship):
const searchClient = algoliasearch(appId, process.env.NEXT_PUBLIC_ALGOLIA_SEARCH_KEY!);Step 03 — Scan
Confirm nothing else leaked alongside it
Scan your bundle for any admin keys leaking alongside the search key.
How this usually leaks
- 01Admin key shipped to the browser instead of the search-only key.
- 02Embedded in a deployed config file.
- 03Logged to a public log endpoint.
FAQ
Frequently asked questions
- What’s the difference between admin, search-only, and secured keys?
- Admin can do anything. Search-only can only run search queries on specified indices. Secured API Keys are short-lived, per-user keys generated server-side that scope search to a single user’s data.
- Will Algolia detect the leak?
- Algolia does not auto-revoke keys on GitHub the way OpenAI does. You are responsible for rotation. Their support can help you investigate logs after rotation.
Deeper dive
Long-term fixes for this leak class
See what else leaked in the same deploy
Free scan. 70+ checks. Results in 60 seconds.