Why IndexNow Requires a Unique Key Per Website
The IndexNow spec requires that each domain use its own unique API key. You cannot reuse the same key across multiple domains. Understanding why helps you implement the protocol correctly.
The Ownership Verification Model
IndexNow uses a "key file challenge" to verify domain ownership. When you submit URLs for domain A, Bing fetches https://domainA.com/{key}.txt and checks that the file contents match the submitted key. If the key file exists and matches, submission succeeds.
Because the key file must be hosted on the same domain as the URLs being submitted, the key is inherently domain-scoped. A key that works for siteA.com does not automatically work for siteB.com unless you also host that same key file on siteB.com.
Can You Use the Same Key String on Multiple Sites?
Technically yes, but it is a security risk. The IndexNow protocol allows the same key string to be hosted on multiple domains. But this means if the key is compromised (e.g., leaked in a public repo), an attacker can submit URLs for any domain where that key file exists.
Best practice: generate a unique key for each website, store it in environment variables (not in version control), and keep key files out of publicly accessible git repositories.
Managing Keys for Multiple Sites
- ✓Generate a unique key for each domain using our key generator tool
- ✓Store each key in that site's environment variables (e.g., INDEXNOW_KEY=abc123)
- ✓Name each key file after its own key: public/{key}.txt (unique per site)
- ✓Document your keys in a secure password manager you will need them if you change hosting
- ✓For WordPress multisite: each subsite domain needs its own key file and key value