Introduction | Yext Hitchhikers Platform

light bulb
Prerequisites
Secure API Tokens are part of the Consumer Auth Initiative to create Private Sites and Authorized Search Experiences. Please refer to this Consumer Auth Overview guide and the relevant guides to get started.

Overview

Client-side calls to Yext APIs from an authenticated page must be protected. If not, this allows a malicious user to grab a Search/Streams/Content Delivery API key exposed on the frontend to access your Search Experience. In order to make sure that all client-side calls are secure, we can use secure API tokens to make authenticated requests.

To make a secure call, the Search SDK can accept a token which is minted at runtime, that is, whenever a page is loaded. The token is passed as an authorization header, as it cannot be tampered with, and contains information such as an API keyID, the audience for which the token is valid, and the identity of the user making the request.

Using these tokens, we can then also implement authorized search. If Search knows which user is making the request, it can respect the permissions of which entities should be allowed to surface for that user as a Search result.