What authentication method does APIXU (Weatherstack) use?

APIXU, now Weatherstack, uses API keys for authentication. You include a unique 32-character hexadecimal key in each API request as a query parameter.

Where can I find my APIXU (Weatherstack) API key?

Your API key is located on your personal API Dashboard after you log in to your account on the Weatherstack website.

Is it safe to put my API key directly in the URL?

While the API key is passed in the URL, using HTTPS encrypts the entire request, protecting the key in transit. However, never hardcode the key directly into public-facing code; store it securely (e.g., environment variables).

Can I restrict my API key to specific domains or IP addresses?

Weatherstack's current dashboard does not provide built-in features to restrict API key usage by specific HTTP referrers or IP addresses. All requests with a valid key are processed.

How often should I change my APIXU (Weatherstack) API key?

It is a good security practice to rotate your API key periodically, for example, every few months or if you suspect it may have been compromised. You can regenerate your key from your dashboard.

What happens if my APIXU (Weatherstack) API key is compromised?

If your API key is compromised, unauthorized parties could use it to make requests against your quota, potentially leading to unexpected charges or service disruptions. You should immediately regenerate your API key from the Weatherstack dashboard to invalidate the old one.

Does APIXU (Weatherstack) support OAuth or other advanced authentication methods?

No, the Weatherstack API primarily supports API key authentication. It does not currently offer OAuth 2.0 or other token-based authentication protocols for accessing its weather data endpoints.

APIXU Authentication: Methods, Setup, and Security (2026)

APIXU authentication: Access to the Weatherstack API (formerly APIXU) requires an API key, which users append to their API requests. This key identifies the user and authorizes access to weather data, ensuring that only authenticated applications can retrieve current, historical, and forecast information.

Authentication overview

Authentication for the APIXU service, now operating under Weatherstack, relies on a simple API key mechanism. This method ensures that all requests to the API are made by authorized users. An API key is a unique identifier provided to each user upon registration, serving as a token that authenticates requests. When a client application sends a request to the Weatherstack API, it includes this API key as a query parameter in the request URL. The API then validates the key against its records to grant or deny access to the requested weather data.

This approach simplifies client integration and management, as there is no complex token negotiation or refresh process involved. However, it places a strong emphasis on the secure handling and storage of the API key, as its compromise could lead to unauthorized access to your allocated API request quota. The Weatherstack API supports current weather, historical data, and forecasting functionalities, with each endpoint requiring the same API key for access.

The system is designed to provide read-only access to weather data, meaning API keys are not used for write operations or sensitive user data management, which mitigates certain security risks typically associated with broader access permissions. The underlying transport layer security (TLS) encrypts all communications, protecting the API key and data in transit as described in Cloudflare's TLS explanation.

Supported authentication methods

The Weatherstack API, which succeeded APIXU, exclusively utilizes API keys for authentication. This method is common for read-only data APIs due to its simplicity and ease of implementation. Developers embed their unique API key directly into the request URL, typically as a query parameter.

Here's a breakdown of the authentication method:

Method	When to Use	Security Level
API Key (Query Parameter)	All API requests to Weatherstack (current, historical, forecast data).	Moderate. Sufficient for read-only access, but requires secure handling of the key itself.

While API keys offer straightforward integration, it's crucial to understand their security implications. Unlike more complex authentication flows like OAuth 2.0, API keys alone do not provide granular permissions management or user-specific authorization beyond simply verifying access to the API. Therefore, applications must implement their own authorization logic if different users require varying levels of access to the Weatherstack API based on application-specific roles.

Getting your credentials

To obtain your APIXU (Weatherstack) API key, follow these steps:

Sign Up/Log In: Navigate to the Weatherstack homepage and either sign up for a new account or log in to an existing one. If you were an APIXU user, your account would have been migrated to Weatherstack.
Access Dashboard: Once logged in, you will be redirected to your personal API Dashboard. This dashboard is your central hub for managing your API usage, viewing analytics, and accessing your credentials.
Locate API Key: Your unique 32-character hexadecimal API access key will be prominently displayed on the dashboard, typically labeled as "Your API Access Key" or similar.
Copy Key: Copy this key for use in your application. It is recommended to store it immediately in a secure location, such as an environment variable or a secrets management system, rather than embedding it directly into your code.
Review Documentation: For specific usage instructions and endpoint details, refer to the Weatherstack API documentation. This documentation will guide you on how to correctly append your API key to different API requests.

Weatherstack offers a Free Plan that includes 250 requests per month, allowing developers to test the API and integrate it into their projects without initial cost. Higher request volumes are available through paid subscription tiers.

Authenticated request example

Once you have your API key, you can integrate it into your API requests. The key is passed as a query parameter, typically named access_key. All requests should be made over HTTPS to encrypt the transmission of your API key and data.

Here is an example of an authenticated request using cURL to retrieve current weather data for New York:

curl "http://api.weatherstack.com/current?access_key=YOUR_ACCESS_KEY&query=New%20York"

Important: Replace YOUR_ACCESS_KEY with your actual API key obtained from your Weatherstack dashboard. While the example uses http://, it is critical to use https:// in production to protect your API key in transit.

// Node.js example using 'node-fetch'

const fetch = require('node-fetch');

const ACCESS_KEY = process.env.WEATHERSTACK_API_KEY; // Stored securely
const CITY = 'London';

async function getCurrentWeather(city) {
  try {
    const response = await fetch(`https://api.weatherstack.com/current?access_key=${ACCESS_KEY}&query=${city}`);
    if (!response.ok) {
      throw new Error(`HTTP error! status: ${response.status}`);
    }
    const data = await response.json();
    console.log(`Current weather in ${city}:`, data.current.temperature + '°C');
  } catch (error) {
    console.error('Error fetching weather data:', error);
  }
}

getCurrentWeather(CITY);

In the Node.js example, process.env.WEATHERSTACK_API_KEY demonstrates the practice of loading the API key from an environment variable, which is a recommended security measure. Never hardcode sensitive credentials directly into your application's source code.

Security best practices

Securing your APIXU (Weatherstack) API key is crucial to prevent unauthorized access and potential abuse of your allocated request quota. Adhering to these best practices will help maintain the integrity and security of your API integration:

Use HTTPS for All Requests: Always ensure your API requests are made over HTTPS. This encrypts the communication channel between your application and the Weatherstack API, protecting your API key and the data exchanged from eavesdropping. Weatherstack automatically redirects HTTP requests to HTTPS, but explicit use of HTTPS URLs is recommended to avoid unnecessary redirects and potential exposure.
Never Hardcode API Keys: Avoid embedding your API key directly into your source code. Hardcoded keys can be exposed if your code repository is compromised or when distributed in client-side applications. Instead, store API keys in environment variables, configuration files that are excluded from version control (e.g., using .env files with .gitignore), or dedicated secrets management services.
Server-Side Access Only: Whenever possible, access the Weatherstack API from server-side applications rather than directly from client-side code (e.g., JavaScript in a web browser). This prevents your API key from being exposed to end-users, who could potentially extract it from network requests in their browser's developer tools. If client-side access is unavoidable, consider implementing a proxy server to mediate requests, adding an extra layer of abstraction and control.
Restrict Referrers/IP Addresses (if available): Some API key management systems offer the ability to restrict API key usage to specific HTTP referrers or IP addresses. While Weatherstack's dashboard does not currently offer referrer or IP restrictions, it is a general best practice for API keys where supported, as outlined in Google Maps API security best practices. Regularly check the Weatherstack dashboard for updates to key management features.
Regularly Rotate API Keys: Periodically generate new API keys and revoke old ones. This practice, known as key rotation, limits the window of opportunity for a compromised key to be exploited. Weatherstack's dashboard allows you to regenerate your API key, invalidating the previous one.
Monitor API Usage: Regularly review your API usage statistics available in your Weatherstack dashboard. Unexpected spikes in usage could indicate unauthorized access to your API key. Set up alerts if the dashboard offers such functionality to be notified of unusual activity.
Implement Error Handling: Implement robust error handling in your application to gracefully manage API authentication failures. This can prevent sensitive information from being logged or displayed to end-users in case of an invalid or expired API key.

By diligently following these security measures, developers can significantly reduce the risk of API key compromise and ensure the secure operation of applications integrating with the Weatherstack (APIXU) service.

APIXU Authentication: Methods, Setup, and Security (2026)

Authentication overview

Supported authentication methods

Getting your credentials

Authenticated request example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by