With Algolia we use Secured API-Keys feature and we really like it. We're wondering is there anything similar that we could use with Elastic?
Here is how Algolia's docs describe it:
The goal of a secured API key is to ensure a set of query parameters cannot be changed by the end user. In order to do that, we compute a HMAC SHA-256 hash between one of your API keys that is used as a secret and the set of query parameters you want to enforce.
- On your backend, you use our API Client to compute the hash with a set of query parameters that you want to have applied in a secure way. The method to do that is generate_secured_api_key. The input is the API key that you want to use and the query parameters. The output is a hash containing inputs encoded in base 64. This method is just a hash computation, there is no network call to our service.
- You pass this hash to the end-user browser or mobile app and the string is used as an API Key.
- In our backend, we will scan all of your API keys and compute the hash corresponding to the set of query parameters. When the hash matches one key, this key, and associated restrictions, will be used to perform the query and the query parameters will be used. If the user tries to change the forced query parameters in the string, then the hash won’t match and the query will be rejected.