I have a Meilisearch (an indexing tool to serve searches) running. And to make searches on the database I am sharing a hardcoded API key in the JS file of my frontend. I limited what indexes that key can search and how much data can be called at once. Is it still a problem to give one key to everyone? (I just practically create a limited public access database.)
Assuming it only allows GET requests (i.e. nobody with the key can modify or delete anything), then it’s probably fine… unless you’re going to run into any rate-limiting issues where you have one client making tons of requests which causes other clients to get locked out from using it.
Also if it’s hard coded in the JS file, you should probably assume that it’s not going to remain a secret forever. Like, would it be a problem if this key got out into the public?
I have just finished limiting what this key can do. It only can search 100 entries in the data. No write access, no access to all of the database at once for preventing scrapping and I guess this should be all right? Theoretically it shouldn’t be problem I think.