Generate tenant tokens without a Meilisearch SDK

This guide shows you the main steps when creating tenant tokens using node-jsonwebtoken, a third-party library.

​

Requirements

• a working Meilisearch project
• a JavaScript application supporting authenticated users
• jsonwebtoken v9.0

​

Generate a tenant token with jsonwebtoken

​

Build the tenant token payload

First, create a set of search rules:

{
  "INDEX_NAME": {
    "filter": "ATTRIBUTE = VALUE"
  }
}

Next, find your default search API key. Query the get an API key endpoint and inspect the uid field to obtain your API key’s UID:

curl \
  -X GET 'MEILISEARCH_URL/keys/API_KEY' \
  -H 'Authorization: Bearer MASTER_KEY'

For maximum security, you should also set an expiry date for your tenant tokens. The following example configures the token to expire 20 minutes after its creation:

parseInt(Date.now() / 1000) + 20 * 60

​

Create tenant token

First, include jsonwebtoken in your application. Next, assemble the token payload and pass it to jsonwebtoken’s sign method:

const jwt = require('jsonwebtoken');

const apiKey = 'API_KEY';
const apiKeyUid = 'API_KEY_UID';
const currentUserID = 'USER_ID';
const expiryDate = parseInt(Date.now() / 1000) + 20 * 60; // 20 minutes

const tokenPayload = {
  searchRules: {
    'INDEX_NAME': {
      'filter': `user_id = ${currentUserID}`
     }
  },
  apiKeyUid: apiKeyUid,
  exp: expiryDate
};

const token = jwt.sign(tokenPayload, apiKey, {algorithm: 'HS256'});

sign requires the payload, a Meilisearch API key, and an encryption algorithm. Meilisearch supports the following encryption algorithms: HS256, HS384, and HS512.

Your tenant token is now ready to use.

​

Make a search request using a tenant token

After signing the token, you can use it to make search queries in the same way you would use an API key.

curl \
  -X POST 'MEILISEARCH_URL/indexes/patient_medical_records/search' \
  -H 'Authorization: Bearer TENANT_TOKEN'