Hide Tokens and Endpoints in UI Kits

SearchStax UI Kits run in the browser. Like other client‑side search UIs, they use your App’s Search Endpoint (/emselect) and Read‑Only token on the page.

UI Kits call the Search API from the browser. The Search Endpoint (/emselect) and a Read‑Only credential must be present in client code so the browser can request results. Visibility does not equal unrestricted access. You control which documents and fields the Search API returns.

Tip: Tokens are scoped for read access and can be rotated.

Warning: Don’t use Read & Write credentials in the browser.

If you don’t want to expose the endpoint or token, you have a couple of options.

Option 1: Add a Lightweight Server Proxy

Use a server‑side route that forwards approved queries to /emselect. Store the API token and endpoint on the server so they aren’t exposed in client code.

  1. Create a /search route on your server.
  2. Allowlist the query parameters you will accept (for example, q, rows, start, and specific facets). Reject everything else.
  3. Enforce rate limits and reasonable timeouts on the route.
  4. From the route, call your Search App’s /emselect using the server‑stored Read‑only token and return the JSON to the browser.

Using a proxy reduces token and endpoint exposure and lets you add controls like rate limits. Use it when you need stricter control or additional auditing.

Option 2: Restrict What Search Returns with Data Filters

Data Filters limit which documents are returned for a given Search Profile. Use them to hide content that should never be surfaced by public clients.

  1. Open Configurations > Advanced configurations > Data Filters for your profile.
  2. Add Include or Exclude rules to restrict results to approved content.
  3. Save and test in Preview.

Note: Filters apply before ranking and rules. Validate logic to avoid unintentionally hiding needed content.

Articles in this section