Skip to main content
This guide shows you the main steps when creating tenant tokens using node-jsonwebtoken, a third-party library.

Generate a tenant token with jsonwebtoken

Build the tenant token payload

First, create a set of search rules: 
{
  "INDEX_NAME": {
    "filter": "ATTRIBUTE = VALUE"
  }
}
Next, find your default search API key. Query the get API keys endpoint and inspect the uid field to obtain your API key’s UID: 
curl \
  -X GET 'MEILISEARCH_URL/keys' \
  -H 'Authorization: Bearer MASTER_KEY'
For maximum security, you should also set an expiry date for your tenant tokens. The following example configures the token to expire 20 minutes after its creation: 
parseInt(Date.now() / 1000) + 20 * 60

Create tenant token

First, include jsonwebtoken in your application. Next, assemble the token payload and pass it to jsonwebtoken’s sign method: 
const jwt = require('jsonwebtoken');

const apiKey = 'API_KEY';
const apiKeyUid = 'API_KEY_UID';
const currentUserID = 'USER_ID';
const expiryDate = parseInt(Date.now() / 1000) + 20 * 60; // 20 minutes

const tokenPayload = {
  searchRules: {
    'INDEX_NAME': {
      'filter': `user_id = ${currentUserID}`
     }
  },
  apiKeyUid: apiKeyUid,
  exp: expiryDate
};

const token = jwt.sign(tokenPayload, apiKey, {algorithm: 'HS256'});
sign requires the payload, a Meilisearch API key, and an encryption algorithm. Meilisearch supports the following encryption algorithms: HS256, HS384, and HS512. Your tenant token is now ready to use.
Though this example used jsonwebtoken, a Node.js package, you may use any JWT-compatible library in whatever language you feel comfortable.

Make a search request using a tenant token

After signing the token, you can use it to make search queries in the same way you would use an API key. 
curl \
  -X POST 'MEILISEARCH_URL/indexes/patient_medical_records/search' \
  -H 'Authorization: Bearer TENANT_TOKEN'

Next steps

Tenant token payload reference

Detailed reference for all fields in the tenant token payload.

Generate tokens with an SDK

Use a Meilisearch SDK to generate tenant tokens with less manual work.

Generate tokens without any library

Build tenant tokens manually by assembling the JWT header, payload, and signature.