SECURITY
IndexNow API Key Security Best Practices
While IndexNow keys are low-risk compared to payment or auth tokens, they can still be misused. A leaked key allows anyone to trigger URL submissions for your domain, potentially polluting your indexing history with invalid URLs.
What Can an Attacker Do With Your Key?
- !Submit spam URLs under your domain (they still must be on your host so damage is limited)
- !Flood Bing with low-quality page submissions, degrading your domain's submission reputation
- !Trigger rate limits, causing your legitimate submissions to be delayed or rejected
- !Cause confusion in your BWT reports with unexpected submission history
Key Storage Rules
Use environment variables never hardcode keys
# .env.local (never commit this file)
INDEXNOW_KEY=d47a82bc1e9f4a3b8c2d5e6f7a8b9c0d
Add .env files to .gitignore
# .gitignore
.env
.env.local
.env.*.local
Never log the key in server-side code
// BAD key appears in logs:
console.log("Submitting with key:", process.env.INDEXNOW_KEY);
// GOOD log a redacted version:
console.log("Submitting with key: ***" + key.slice(-4));
When to Rotate Your Key
- →A developer who had access to the key leaves your organization
- →The key was accidentally committed to a public repository
- →You see unexpected URL submissions in Bing Webmaster Tools
- →You receive 429 errors when you haven't submitted anything recently
- →As part of regular security rotation (recommended: annually)