Securing The API Token In Your Coveo Search Hub

March 28, 2022

By David Austin

In a previous article, we talked about ways of configuring your Coveo Search Hub. One of those ways involved updating the Search Token itself, albeit through code (if not done by the platform you're using, e.g. Salesforce). Obviously that is the recommended approach as not only does it set the Search Hub, but it restricts what content is returned - which is the goal here.

To ensure you had all options at your disposal, I wanted to show you yet another way of securing your results. Most importantly, ensuring only the results that return are the ones you want to return. Now obviously, setting your Search Hub value in the other ways will ensure the right Query Pipeline is run.

But if I had malicious intent, I could just remove it and get the default query pipeline.

So let's explore this a bit further and I can show you a few things and highlight some ways of ensuring your content is secure.

Configuring The API Token

If you open up your Platform Admin and navigate to the API Keys area within the left-hand navigation.

From the list displayed, choose the API Key you're working with, or if need be, create one.

On the next page, navigate to Privileges followed by Search.

Screenshot of editing the privileges in an API key in Coveo

Once there, you'll notice at the bottom there is a Limit the API Key Scope. Clicking in the drop down, you can enter a Filter

Screenshot of the Limit the API Key Scope dialog box in the Coveo search hub

Clicking Create the "***" search hub will then restrict this API Key from being used in other Search Hubs. This will then prevent potentially malicious people from doing queries and trying to get data outside of the intended result.

You'll want to ensure that this search hub value matches the one you enter on your search page.

What It Doesn't Do

Something to note, as we did in the previous article as well, is that the Search Hub needs to be designated in the query / CoveoAnalytics component. Without that, the first query itself, will show a Search Hub value of either null or default.

Screenshot of the source code of the Coveo Search Hub backend

If you're using Coveo Atomic a data-search-hub value is actually required as part of setup so this isn't an issue, but for a basic Search UI you'll want to force it and it's just recommended by Coveo to use the CoveoAnalytics component to do so.

Happy secure searching!

Photo of Fishtank employee David Austin

David Austin

Development Team Lead | 4x Sitecore Technology MVP

David is a decorated Development Team Lead with 4 Sitecore Technology MVPs and Coveo MVP awards, as well as Sitecore CDP & Personalize Certified. He's worked in IT for 25 years; everything ranging from Developer to Business Analyst to Group Lead helping manage everything from Intranet and Internet sites to facility management and application support. David is a dedicated family man who loves to spend time with his girls. He's also an avid photographer and loves to explore new places.

These are some related articles

Sitecore XM Cloud Marketplace: Reading and Changing Items with GraphQL

October 16, 2025

A house in front of a mountain

How to Make GraphQL Calls in Sitecore Renderings

October 16, 2025

Hidden lake in mountain valley

How to Install Custom Local Fonts in the Sitecore JSS Next.js Starter Kit

October 6, 2025

A big tree stump and lake in the mountains

Change SVG Colors Using CSS Filters

August 5, 2025