How authentication works
Meilisearch’s security model has three layers:- Master key: a secret you set at launch. It is never used directly in API requests, but generates the default API keys
- API keys: credentials used to authenticate API requests. Meilisearch creates two default keys (admin and search) when you set a master key
- Tenant tokens: short-lived, client-side tokens derived from API keys. They enforce per-user search rules without exposing your API keys
Security checklist
For production self-hosted instances:- Set a master key of at least 16 bytes
- Set the environment to
production - Use HTTPS via a reverse proxy or direct SSL
- Use the search API key (not the admin key) in front-end applications
- Consider tenant tokens for multi-tenant search
- Restrict network access with firewall rules
Next steps
Master key and API keys
Understand the difference between master key and API keys, and how to manage them.
Secure your project
Step-by-step tutorial for setting up authentication on your instance.
Protected and unprotected instances
Learn what happens when your instance has no master key.
HTTP/2 and SSL
Configure HTTPS directly on Meilisearch without a reverse proxy.