Authentication
The Search Indexing service authenticates server-to-server with the x-indexing-service-key header.
The Search Indexing service is an internal, operator-run API that submits Misar-owned domains to search engines. It does not read per-user data, so it has a single authentication mode: a shared service key.
x-indexing-service-key: <INDEXING_SERVICE_KEY>
Every endpoint requires this header. A request without it — or one where the key
does not match INDEXING_SERVICE_KEY — returns 401:
{ "ok": false, "error": "unauthorized" }Never expose the service key
INDEXING_SERVICE_KEY is a server-only secret. Store it in your platform's
secret manager (macOS Keychain locally, Coolify env in production) and read it at
runtime. Never ship it to a browser, mobile app, or any client bundle.
Engine credentials
The service key authorizes the caller. Each search engine additionally needs its own credential, configured as an environment variable on the service. When an engine's credential is absent, that engine is skipped and reported — the request still succeeds for the engines that are configured.
| Engine | Env var |
|---|---|
| IndexNow (Bing, Yandex, Naver, Seznam, Yep) | INDEXNOW_KEY |
| Google (Indexing API + GSC) | GOOGLE_INDEXING_SA_JSON |
| Bing Webmaster | BING_WEBMASTER_API_KEY |
| Yandex Webmaster | YANDEX_WEBMASTER_OAUTH_TOKEN, YANDEX_WEBMASTER_USER_ID |
| Baidu push | BAIDU_PUSH_TOKEN |
Check which credentials are live with GET /status.