Scoped search tokens

HMAC-signed tokens that narrow permissions to a specific index, user, TTL, and filter — never widen them.

Fine-grained access control

Issue a token server-side, ship it to the browser. It expires, it is locked to one index, and it can only AND-narrow the result set.

HMAC-signed

Tokens are signed with your secret. Tampering or replay is cryptographically detectable.

TTL-bound

Every scoped token carries an expiry. Short-lived tokens for browser sessions; longer TTLs for server-to-server.

AND-combined filters

A token can carry a mandatory filter (e.g. userId = 42). The server AND-combines it with the caller's filter — never OR.

Origin locking

Pin a token to specific origins. A token exported in JavaScript can only be used from your domain.

Index-scoped

Each token is bound to a single index. Cross-index queries require a separate token per index.

Server-side issuance

Tokens are issued by your backend via a single API call. The browser never sees your admin API key.

Signed filters, not shared keys

Issue short-lived tokens that can only narrow search access for a tenant or user.

json

// POST /v1/projects/:projectId/scoped-tokens
{
  "scope": { "filter": "status:published", "collections": ["products"] },
  "origin": "*.mysite.com",
  "expires_in": 7200,
  "token": "ss_scoped_mVGKq4QFRQAB_xRddl6m..."
}

Launch Search OS in one evening

Create an index, add documents and connect search from your app. Free tier covers a prototype — data persists when you upgrade.

Start free Open docs