I'm trying to follow this guide about User-restricted access to data.
It explains that I should create a secured API key for each user to manage who can read certain documents.
What I don't understand is that we already have the Search-Only API key, which has search permissions for all indexes and is supposed to be exposed in the front end. So, while I can generate a secured API key for each user individually, if the user knows the Search-Only API key, he can still use it to search for documents that should not be allowed in the generated secured API key.
I couldn't find a way to restrict search permissions of the Search-Only API key for entire indexes. Maybe the idea is to not expose the Search-Only API key but that doesn't seem like a secure way, as this is is explicitly meant to be used in the frontend?
What am I missing here?
Correct. If you intend to use secure API keys to restrict search, you will do this instead of using the default Search API key.
All searches should be using secure keys, with the "default" key being a generated secure API key scoped to only access public content -- or always generate a user-specific secure key if the content is only searchable if the user is logged in.
You should never expose the default Search-only key in the front end for this use case.