March 13, 2026
Searchgate: keys under the doormat
I Found 39 Algolia Admin Keys Exposed Across Open Source Documentation Sites
Open-source docs left the master keys out; panic, jokes, and finger-pointing ensue
TLDR: A researcher found 39 “master” Algolia keys exposed on public docs, meaning anyone could change or delete what people see when they search. Comments swung from alarm to gallows humor, calling out slow fixes, vendor silence, and even one user bragging about attack automation—proof this matters beyond tech circles.
A security sleuth scraped thousands of public documentation pages and found 39 Algolia “admin” keys—think master keys—that should’ve been read-only but weren’t. With those, anyone could mess with or delete what shows up when you search docs. SUSE/Rancher rotated fast, Home Assistant started fixing but the original key still hasn’t been fully killed, and Algolia’s reported silence has the crowd fuming.
The comments came in hot. One camp is blaring sirens—“this could poison search results with phishing!”—while others toss out pragmatic tips like using GitHub’s secret scanning to auto-revoke leaked keys. The darker humor crew wonders how many people are already poking these keys, and one jaw-dropper bragged about building a bot to automate attacks—cue the collective yikes. Another thread roasted the post’s visuals (“unnecessary graphs”) like it’s a PowerPoint crime, because of course the internet can multitask: panic and pettiness.
Meanwhile, the blame game is fierce. Is this on maintainers who put write-keys in front-end code, or on the platform for not preventing it? The meme-ification writes itself—“keys under the doormat,” “DocSearch becomes DocBreach”—as folks plead for sites to switch to true search-only keys and for Algolia to say something, anything. Until then, the community’s on edge and refreshing DocSearch receipts.
Key Points
- •A researcher found 39 Algolia DocSearch admin API keys exposed in open-source documentation sites.
- •The investigation started after an admin key was discovered on vuejs.org; Vue rotated the key.
- •Targets were built from Algolia’s docsearch-configs repo, scraping ~15,000 sites and scanning 500+ repos with TruffleHog and GitHub code search.
- •Most keys had extensive permissions (e.g., add/delete objects, deleteIndex, editSettings); some included analytics/logs/NLU.
- •SUSE/Rancher revoked their key; Home Assistant started remediation; Algolia was notified but no response was received.