AI and Machine Learning Search premium premium field-manual-template-specs

Search query key

A search query key is the safer API key you give to an application that only needs to run searches. It can retrieve matching documents from an Azure AI Search index, but it cannot create indexes, change schemas, rotate admin keys, or modify indexers. Think of it as a read-only search credential, not a full service password. It is useful when a web app, mobile app, or partner integration needs search results without the power to damage the search service.

Back to glossary browser Open Microsoft Learn source
Aliases
Azure AI Search query key, search API query key, read-only search key, query API key, Azure Search query key
Difficulty
fundamentals
CLI mappings
5
Last verified
2026-05-23

Microsoft Learn

A search query key is an Azure AI Search API key that permits read-only document queries against indexes. It is intended for client applications that need search results but should not manage indexes, data sources, indexers, skillsets, or service configuration.

Microsoft Learn: Connect to Azure AI Search using API keys2026-05-23

Technical context

In Azure architecture, a query key belongs to the Azure AI Search data-plane authentication model. It sits below the service control plane and above application query calls. The search service still exists as an Azure resource with RBAC, networking, diagnostics, and capacity settings, but the query key is used by clients calling index document endpoints. Admin keys and data-plane roles can manage broader objects, while query keys should support limited retrieval workflows through server code, gateways, or carefully controlled client paths.

Why it matters

Search query keys matter because search applications often need broad read access while still avoiding administrative exposure. A leaked admin key can create, update, or delete search objects, but a query key is limited to querying documents. That difference matters for public search boxes, partner portals, embedded assistants, and RAG applications where credentials may pass through deployment pipelines or application settings. Using query keys also creates a cleaner operational boundary: developers can rotate, name, and inventory query access separately from service administration. It is not a complete security model, but it prevents a common mistake where simple search clients are overprivileged from day one.

Where you see it

Signals, screens, and Azure surfaces where this term usually becomes operational.

Signal 01

In the Azure portal Keys blade for a search service, query keys appear separately from primary and secondary admin keys, often with custom names for applications.

Signal 02

In Azure CLI output from az search query-key list, each entry shows the key name and value, which operators should handle as secret material during rotation and access reviews.

Signal 03

In application configuration, a query key often appears beside the search endpoint and index name, usually as a Key Vault reference or protected app setting.

Signal 04

In failed search calls, HTTP 403 responses can reveal that the application used an invalid query key, an admin-key-only operation, or the wrong service endpoint.

When this becomes relevant

Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.

  • Give a public documentation site read-only access to one search index without exposing admin keys that can change schemas or indexers.
  • Create separate query keys for web, mobile, and partner integrations so rotation and incident response can target one client at a time.
  • Move a search application from admin-key authentication to least-privilege query access before an external launch or security review.
  • Support RAG retrieval through a backend service that holds the query key, injects tenant filters, and prevents users from bypassing authorization.
  • Retire abandoned prototype keys after comparing CLI inventory with current application settings and recent query activity.

Real-world case studies

Different enterprise-style examples that show the term being used to hit measurable objectives.

Case study 01

Museum ticket portal separates public search from administration

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A city museum network launched a public ticket portal that searched events, exhibits, and accessibility notes. The first prototype used an admin key in an app setting shared by several contractors.

Business/Technical Objectives
  • Remove administrative search privileges from the public portal.
  • Keep event search available during weekend ticket releases.
  • Create key ownership evidence for the city security office.
  • Rotate contractor-held credentials before launch.
Solution Using Search query key

The cloud team created a named search query key for the portal and stored it as a Key Vault reference in Azure App Service. The backend used that key only for document search calls against the public events index, while index changes, indexer runs, and schema updates stayed behind a separate operations identity. Azure CLI listed all existing query keys, identified two prototype keys with unclear owners, and created a replacement key for production. During launch rehearsal, engineers posted sample search requests with az rest, confirmed that the query key could retrieve event documents, and verified that admin-only index operations failed. After all deployment slots used the new setting, the team deleted the contractor keys and attached the CLI transcript to the security review.

Results & Business Impact
  • Admin-key exposure in portal configuration dropped from three settings to zero.
  • Ticket-release search stayed online through a 4.8x traffic spike.
  • Credential ownership evidence was prepared in 18 minutes instead of a manual half-day review.
  • Two contractor prototype keys were removed before the public launch.
Key Takeaway for Glossary Readers

A search query key gives public search experiences the access they need without handing application code control over the search service.

Case study 02

SaaS knowledge portal isolates customer retrieval credentials

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A collaboration SaaS vendor added AI-assisted knowledge search for enterprise customers. Security testing found that one shared admin key powered both ingestion jobs and customer-facing retrieval.

Business/Technical Objectives
  • Separate retrieval credentials from ingestion administration.
  • Support customer-specific filtering through a backend gateway.
  • Reduce blast radius if a retrieval credential leaks.
  • Document rotation steps for the customer success team.
Solution Using Search query key

The platform team created a dedicated search query key for the retrieval gateway and kept admin keys only in the ingestion worker. The gateway authenticated users with Microsoft Entra ID, injected tenant and workspace filters, and called Azure AI Search with the query key from Key Vault. Developers used Azure CLI to list keys, create environment-specific query keys, and verify that the retrieval key could not create indexes or alter indexers. The deployment pipeline updated staging first, then production, with health checks that replayed known customer queries. Old shared secrets were deleted after diagnostics showed zero calls from the previous configuration for seven days.

Results & Business Impact
  • Privileged search credentials were removed from three customer-facing services.
  • A simulated leak could no longer delete indexes or change data sources.
  • Rotation runbook time fell from 90 minutes to 22 minutes.
  • Customer search p95 latency remained under 210 milliseconds because filtering stayed in the gateway.
Key Takeaway for Glossary Readers

Query keys work best when a trusted backend combines read-only search access with identity-aware filters and auditable rotation.

Case study 03

University library retires abandoned discovery keys

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A university library maintained multiple search prototypes for catalog discovery, archives, and research guides. Nobody knew which API keys were still active after two semester projects ended.

Business/Technical Objectives
  • Inventory every query key and assign an owner.
  • Remove abandoned keys without breaking student search.
  • Separate public catalog search from staff-only archive retrieval.
  • Improve audit evidence for annual data governance review.
Solution Using Search query key

The Azure administrator used az search query-key list across the library search services and matched key names with App Service settings, Function App configuration, and Key Vault references. Public catalog search received a clearly named query key tied to the production portal, while staff archive tools used a separate backend-held key with stricter filters. The team ran sample searches from each application, watched diagnostics for authentication failures, and left suspected abandoned keys disabled by configuration for one week before deletion. They also updated naming standards so new keys include application, environment, owner, and rotation month.

Results & Business Impact
  • Seven query keys were reduced to three owned credentials.
  • No student-facing search outage occurred during cleanup.
  • Annual audit preparation shrank from two days of interviews to a single exported evidence file.
  • Staff archive retrieval errors dropped 34 percent after public and internal keys were separated.
Key Takeaway for Glossary Readers

Search query keys are small objects, but disciplined naming and cleanup prevent forgotten read paths from becoming long-term data exposure.

Why use Azure CLI for this?

After ten years of Azure operations, I use Azure CLI for query keys because key hygiene fails when it lives only in portal screenshots. CLI lets me list query keys, create purpose-named keys for applications, delete retired keys, and capture evidence without exposing admin credentials in a ticket. It also helps compare dev, test, and production services before a rotation. The actual query call often uses REST or an SDK, but CLI is the repeatable control point for inventory, key lifecycle, resource context, diagnostics, and scripted checks during release windows or security reviews. That record also helps auditors understand exactly who changed a credential and why.

CLI use cases

  • List query keys for a search service and verify that every named key still maps to a live application owner.
  • Create a new query key before rotating an application setting or deployment slot during a controlled release window.
  • Delete a retired query key after logs confirm that no production traffic still depends on it.
  • Use az rest with a query key to validate read-only search behavior without granting administrative permissions.
  • Export query-key inventory evidence for an access review, vendor offboarding, or incident response record.

Before you run CLI

  • Confirm the tenant, subscription, resource group, search service name, index name, and whether the key is for production or nonproduction.
  • Use permissions that can manage search service keys, and avoid printing key values in shared terminals, logs, screenshots, or tickets.
  • Plan rotation as a two-step change: create or copy a replacement, update all consumers, validate traffic, then delete the old key.
  • Check whether the workload should use Microsoft Entra ID data-plane roles instead of API keys before creating another secret.

What output tells you

  • The key name identifies the application or integration owner; vague names make rotation and incident response slower.
  • The key value is secret material and should be copied only into approved secret storage or deployment configuration.
  • The service resource ID confirms the Azure boundary, subscription, and resource group before you change keys for the wrong environment.
  • HTTP status from a test query separates authentication problems from index, filter, schema, or relevance problems.

Mapped Azure CLI commands

Search query key operational checks

direct
az search service show --name <search-service> --resource-group <resource-group>
az search servicediscoverAI and Machine Learning
read-only Microsoft docs
az search query-key list --service-name <search-service> --resource-group <resource-group>
az search query-keydiscoverAI and Machine Learning
secret-output Microsoft docs
az search query-key create --name <key-name> --service-name <search-service> --resource-group <resource-group>
az search query-keysecureAI and Machine Learning
creates-secret Microsoft docs
az search query-key delete --name <key-name> --service-name <search-service> --resource-group <resource-group>
az search query-keyremoveAI and Machine Learning
destructive Microsoft docs
az rest --method post --url "https://<search-service>.search.windows.net/indexes/<index-name>/docs/search?api-version=2024-07-01" --headers "api-key=<query-key>" "Content-Type=application/json" --body @query.json
az restdiscoverAI and Machine Learning
read-only Microsoft docs

Architecture context

Architecturally, a search query key should be treated as an application credential with a deliberately narrow job. I normally avoid placing it directly in browser code unless the exposure is acceptable and the index contains only public data. For enterprise apps, the backend or API gateway holds the key, applies tenant filters, logs the request, and returns only approved fields. In RAG systems, the key belongs beside the retriever service, not inside prompts or user-visible configuration. Query keys sit alongside private endpoints, app settings, managed identity, RBAC, Key Vault references, and index-level security trimming as one piece of the search access design.

Security

Security impact is direct because a query key grants document-read capability. It should never protect highly sensitive search results by itself; applications still need authentication, authorization, tenant filters, and field-level retrieval discipline. Store query keys in Key Vault, app settings with restricted access, or managed configuration, not in source code. Prefer Microsoft Entra ID and data-plane RBAC where the workload supports it, especially for enterprise services. Rotate keys when teams, vendors, or deployment channels change. Remember that a query key cannot administer the service, but it can still expose indexed data if the application sends broad queries. Review exposure after every vendor handoff, merger, environment split, or emergency rotation.

Cost

A query key is not a separate billing object, so its cost impact is indirect. The expensive path appears when broad or uncontrolled clients generate high query volume, semantic reranking, vector retrieval, or downstream model calls. A leaked key against a public endpoint can also drive unexpected traffic until it is deleted. Good key ownership helps FinOps teams tie query behavior to applications, rotate abandoned integrations, and identify clients that should be throttled or moved behind an API layer. The key itself is free, but unmanaged query access can force extra replicas, logging, incident response, and support effort. Traffic attribution makes chargeback conversations calmer, faster, and easier to defend.

Reliability

Reliability impact is indirect but real. A missing, deleted, expired-by-process, or misrouted query key can make an otherwise healthy search service look down to users. During key rotation, keep an old key active until every application instance, slot, function, and partner integration has switched to the new value. Use named query keys so incident responders can identify which app is affected. Monitor failed query authentication separately from service capacity errors. For multi-region or blue-green deployments, validate that each environment uses the correct service endpoint and key pair before routing traffic. That simple check prevents confusing outages during otherwise healthy capacity events.

Performance

The key does not make searches faster or slower by itself, but it affects how query traffic reaches the service. A key embedded in many unmanaged clients can create noisy, bursty traffic that is harder to throttle and diagnose. A backend-held key lets engineers add caching, request shaping, tenant filters, retries, and circuit breakers before calls hit Azure AI Search. During performance investigations, knowing which query key belongs to which app helps separate legitimate load from abandoned tools or test clients. Credential clarity improves diagnostic performance because teams can isolate sources quickly. It also improves load-test analysis when clients are separated by credential.

Operations

Operators manage query keys by listing current keys, checking naming conventions, creating replacement keys, updating application configuration, and deleting retired keys after validation. They should document the owner, purpose, environment, and rotation date for every key. CLI and deployment pipelines help avoid manual copy mistakes, especially across multiple search services. Troubleshooting usually starts by confirming the service endpoint, index name, key type, and HTTP status. A 403 often means the key is wrong or insufficient, while a 404 can mean the application is querying the wrong index or service. Runbooks should include owners, environments, and last rotation evidence for every key.

Common mistakes

  • Using an admin key in a simple search client because it was the first key visible in the portal.
  • Embedding a query key in browser code for an index that contains nonpublic or tenant-specific content.
  • Deleting an old key immediately after rotation without checking deployment slots, functions, workers, and partner integrations.
  • Naming every key default or app, which makes ownership unclear during audits and incident response.
  • Assuming a query key enforces row-level security when filters and backend authorization are still required.