diff --git a/crates/meilisearch-auth/src/store.rs b/crates/meilisearch-auth/src/store.rs
index bae27afe4..6e4ff8389 100644
--- a/crates/meilisearch-auth/src/store.rs
+++ b/crates/meilisearch-auth/src/store.rs
@@ -89,6 +89,7 @@ impl HeedAuthStore {
         for action in &key.actions {
             match action {
                 Action::All => actions.extend(enum_iterator::all::<Action>()),
+                Action::AllRead => actions.extend(enum_iterator::all::<Action>().filter(|a| a.is_read())),
                 Action::DocumentsAll => {
                     actions.extend(
                         [Action::DocumentsGet, Action::DocumentsDelete, Action::DocumentsAdd]
diff --git a/crates/meilisearch-types/src/keys.rs b/crates/meilisearch-types/src/keys.rs
index df2810727..023e7e786 100644
--- a/crates/meilisearch-types/src/keys.rs
+++ b/crates/meilisearch-types/src/keys.rs
@@ -218,6 +218,9 @@ pub enum Action {
     #[serde(rename = "*")]
     #[deserr(rename = "*")]
     All = 0,
+    #[serde(rename = "*.read")]
+    #[deserr(rename = "*.read")]
+    AllRead,
     #[serde(rename = "search")]
     #[deserr(rename = "search")]
     Search,
@@ -396,6 +399,51 @@ impl Action {
         }
     }
 
+    /// Whether the action should be included in [Action::AllRead].
+    pub fn is_read(&self) -> bool {
+        use Action::*;
+
+        // It's using an exhaustive match to force the addition of new actions.
+        match self {
+            // Any action that expands to others must return false, as it wouldn't be able to expand recursively.
+            All | AllRead | DocumentsAll | IndexesAll | ChatsAll | TasksAll | SettingsAll
+                | StatsAll | MetricsAll | DumpsAll | SnapshotsAll | ChatsSettingsAll => false,
+
+            Search => true,
+            DocumentsAdd => false,
+            DocumentsGet => true,
+            DocumentsDelete => false,
+            IndexesAdd => false,
+            IndexesGet => true,
+            IndexesUpdate => false,
+            IndexesDelete => false,
+            IndexesSwap => false,
+            TasksCancel => false,
+            TasksDelete => false,
+            TasksGet => true,
+            SettingsGet => true,
+            SettingsUpdate => false,
+            StatsGet => true,
+            MetricsGet => true,
+            DumpsCreate => false,
+            SnapshotsCreate => false,
+            Version => true,
+            KeysAdd => false,
+            KeysGet => false, // Prevent privilege escalation by not allowing reading other keys.
+            KeysUpdate => false,
+            KeysDelete => false,
+            ExperimentalFeaturesGet => true,
+            ExperimentalFeaturesUpdate => false,
+            NetworkGet => true,
+            NetworkUpdate => false,
+            ChatCompletions => false, // Disabled because it might trigger generation of new chats.
+            ChatsGet => true,
+            ChatsDelete => false,
+            ChatsSettingsGet => true,
+            ChatsSettingsUpdate => false,
+        }
+    }
+
     pub const fn repr(&self) -> u8 {
         *self as u8
     }