What is the primary authentication method for Geoapify?

Geoapify primarily uses API keys for authentication across all its services. You include this key as a query parameter in your API requests.

Where can I get my Geoapify API key?

You can generate and manage your API keys within the Geoapify customer dashboard after signing up for an account.

Can I restrict my Geoapify API key to specific domains or IP addresses?

Yes, Geoapify provides features in its dashboard to restrict API key usage by HTTP referrers (domains) for client-side applications and by IP addresses for server-side applications. This is a critical security measure.

Is it safe to use Geoapify API keys directly in client-side (browser) JavaScript?

Using API keys directly in client-side JavaScript is safe only if you apply strict HTTP referrer (domain) restrictions in your Geoapify dashboard. Without these restrictions, the key could be easily exposed and misused.

What should I do if my Geoapify API key is compromised?

If your API key is compromised, immediately revoke it in your Geoapify dashboard and generate a new one. Also, review your application code and infrastructure to prevent future compromises.

Does Geoapify support OAuth 2.0 or other advanced authentication methods?

Currently, Geoapify's primary and recommended authentication method is API keys. Other methods like OAuth 2.0 are not natively supported for direct API access.

How do I secure my API key in a server-side application?

For server-side applications, store your API key as an environment variable or in a secure configuration file, rather than hardcoding it directly into your source code. Also, apply IP address restrictions in your Geoapify dashboard.

Geoapify Authentication: API Key Access & Security (2026)

Geoapify authentication primarily uses API keys to secure access to its mapping and geospatial services. These keys are unique identifiers, generated within the Geoapify customer dashboard, and must be included with every API request to verify the client's identity and authorize access to specific endpoints and quotas.

Authentication overview

Geoapify provides various APIs for mapping and geospatial services, including Geocoding, Places, Routing, and Map Tiles. Access to these services is controlled through authentication, which verifies the identity of the client making a request and ensures adherence to usage policies and quotas. Geoapify's authentication mechanism is designed for straightforward integration, primarily relying on API keys for securing requests.

The core principle of Geoapify's authentication involves attaching a unique API key to each request. This key acts as a digital credential, identifying your application or project to the Geoapify servers. Upon receiving a request, the server validates the provided API key against its records. If the key is valid and associated with an active account, the request is processed; otherwise, it is rejected, typically with an HTTP 401 Unauthorized or 403 Forbidden status code. This system allows Geoapify to manage access, monitor usage, and apply rate limits effectively across its diverse API offerings, which are detailed in the Geoapify APIs reference.

Implementing API key authentication requires careful management of these credentials to prevent unauthorized use. Geoapify offers features within its dashboard to help users secure their API keys, such as restricting key usage to specific domains or IP addresses. These measures are crucial for protecting API keys from compromise and safeguarding your account from unexpected usage charges.

Supported authentication methods

Geoapify primarily supports API key authentication across all its services. This method is common for web service APIs due to its simplicity and ease of implementation. While other authentication standards like OAuth 2.0 or mutual TLS are used by some providers for more complex scenarios, Geoapify's API key approach is optimized for rapid development and straightforward access to geospatial data.

Method	When to Use	Security Level
API Key (Query Parameter)	Standard method for all Geoapify API requests. Suitable for server-side applications, front-end applications with domain/IP restrictions, and development.	Moderate (Requires careful key management, especially for client-side use. Enhanced by domain/IP restrictions.)

API Key Details

An API key is a unique string that you include directly in your API requests. For Geoapify, this key is typically passed as a query parameter named apiKey. For example:

https://api.geoapify.com/v1/geocode/search?text=Geoapify&apiKey=YOUR_API_KEY

This method is simple to integrate and works across various programming languages and environments. While convenient, it necessitates strong security practices to prevent unauthorized access. The Geoapify authentication documentation provides comprehensive guidance on proper API key handling.

Getting your credentials

To begin using Geoapify APIs, you must first obtain an API key. This process is managed through the Geoapify customer dashboard.

Steps to obtain an API key:

Create a Geoapify Account: If you don't already have one, visit the Geoapify homepage and sign up for a new account. Geoapify offers a free tier that includes up to 3000 free requests per day, allowing you to get started without immediate commitment.
Access the Dashboard: Once logged in, navigate to your Geoapify user dashboard.
Locate API Key Management: Within the dashboard, look for a section related to 'API Keys' or 'Projects'. Geoapify's dashboard is designed for ease of use, and API key management is typically a prominent feature, as described in the Geoapify developer documentation.
Generate a New API Key: You will find an option to generate a new API key. It's recommended to create separate API keys for different applications or environments (e.g., development, staging, production) to facilitate tracking and enable granular security restrictions.
Configure Restrictions (Optional but Recommended): After generating a key, you'll have the option to add restrictions. This is a critical security step. You can specify which domains (for client-side web applications) or IP addresses (for server-side applications) are authorized to use the key. This prevents others from using your key if it is inadvertently exposed.
Copy Your API Key: Once generated and configured, copy the API key. It will be a long alphanumeric string. Store it securely, as it grants access to your Geoapify account's quota.

Key Management in the Dashboard

The Geoapify dashboard also allows you to:

Edit Key Restrictions: Modify allowed domains or IP addresses for existing keys.
Monitor Usage: Track API requests made with each key to understand consumption and identify potential misuse.
Revoke Keys: Immediately disable a compromised or no longer needed API key. This is a crucial feature for security incident response.

Authenticated request example

This example demonstrates how to make an authenticated request to the Geoapify Geocoding API using an API key. The primary method is to include the apiKey as a query parameter in your request URL.

JavaScript Example (Client-side)

For client-side web applications, you would typically use fetch or XMLHttpRequest. Remember to apply domain restrictions to your API key, as exposing it directly in client-side code without these restrictions is a security risk.

async function geocodeAddress(address) {
  const apiKey = 'YOUR_API_KEY'; // Replace with your actual Geoapify API key
  const encodedAddress = encodeURIComponent(address);
  const url = `https://api.geoapify.com/v1/geocode/search?text=${encodedAddress}&apiKey=${apiKey}`;

  try {
    const response = await fetch(url);
    if (!response.ok) {
      throw new Error(`HTTP error! status: ${response.status}`);
    }
    const data = await response.json();
    console.log('Geocoding result:', data);
    return data;
  } catch (error) {
    console.error('Error during geocoding:', error);
    return null;
  }
}

// Example usage:
geocodeAddress('1600 Amphitheatre Parkway, Mountain View, CA');

Python Example (Server-side)

For server-side applications or scripts, Python's requests library is a common choice. Server-side usage is generally more secure as the API key is not exposed to end-users.

import requests

def geocode_address(address):
    api_key = 'YOUR_API_KEY'  # Replace with your actual Geoapify API key
    base_url = 'https://api.geoapify.com/v1/geocode/search'
    params = {
        'text': address,
        'apiKey': api_key
    }

    try:
        response = requests.get(base_url, params=params)
        response.raise_for_status()  # Raise an HTTPError for bad responses (4xx or 5xx)
        data = response.json()
        print("Geocoding result:", data)
        return data
    except requests.exceptions.RequestException as e:
        print(f"Error during geocoding: {e}")
        return None

# Example usage:
geocode_address('Eiffel Tower, Paris, France')

cURL Example (Command Line)

You can quickly test Geoapify API requests from your terminal using cURL.

curl "https://api.geoapify.com/v1/geocode/search?text=Berlin,%20Germany&apiKey=YOUR_API_KEY"

In all examples, replace YOUR_API_KEY with the actual API key generated from your Geoapify dashboard. It is critical to manage this key securely and apply appropriate restrictions.

Security best practices

Securing your Geoapify API keys is essential to prevent unauthorized usage, protect your data, and avoid unexpected charges. While API keys offer simplicity, their security relies heavily on proper management and implementation.

API Key Management

Restrict API Key Usage: This is the most crucial step. Geoapify allows you to restrict API keys by HTTP referrers (for web browsers) and IP addresses (for server-side applications). Always set these restrictions in your Geoapify dashboard immediately after generating a key.

HTTP Referrer Restrictions: For client-side JavaScript applications, specify the exact domains that are allowed to use the key (e.g., *.yourdomain.com/*).
IP Address Restrictions: For server-side applications, specify the static IP addresses of your servers that will make API requests.

Avoid Hardcoding API Keys: Never embed plain API keys directly in publicly accessible code repositories or client-side code where domain/IP restrictions are not possible or sufficient.
Use Environment Variables: For server-side applications, store API keys as environment variables or in secure configuration files that are not committed to version control. This practice is widely recommended for sensitive credentials, as described in guides like the Google Cloud API keys documentation.
Separate Keys by Application/Environment: Generate distinct API keys for different applications (e.g., website A, mobile app B) and different deployment environments (e.g., development, staging, production). This allows for easier key rotation and revocation if a specific key is compromised, limiting the blast radius.
Regularly Audit and Rotate Keys: Periodically review your API keys in the Geoapify dashboard. Delete unused keys and consider rotating active keys, especially if there's any suspicion of compromise or a change in application infrastructure.
Monitor Usage: Utilize the Geoapify dashboard's usage analytics to detect unusual spikes or patterns that might indicate unauthorized use of your API keys.

Data In-Transit Security

Geoapify APIs are accessed exclusively over HTTPS (HTTP Secure). This encrypts all communication between your application and the Geoapify servers, protecting your API key and request data from eavesdropping during transit. Always ensure your application uses https:// for all Geoapify API endpoints.

Error Handling and Logging

Implement robust error handling in your application to gracefully manage API request failures, including those related to authentication (e.g., 401 Unauthorized or 403 Forbidden). Log these errors securely without exposing sensitive information. Avoid logging the API key itself.

Client-side Considerations

When using Geoapify APIs directly from client-side web applications (e.g., JavaScript in a browser), API keys are inherently more exposed than in server-side contexts. Domain restrictions are critical here. Without them, anyone inspecting your web application's network requests could potentially extract and misuse your API key. For applications where strict server-side control is necessary, consider proxying Geoapify requests through your own backend server, which can then add the API key securely. This adds a layer of abstraction and control.

Geoapify Authentication: API Key Access & Security (2026)

Authentication overview

Supported authentication methods

API Key Details

Getting your credentials

Steps to obtain an API key:

Key Management in the Dashboard

Authenticated request example

JavaScript Example (Client-side)

Python Example (Server-side)

cURL Example (Command Line)

Security best practices

API Key Management

Data In-Transit Security

Error Handling and Logging

Client-side Considerations

Frequently asked questions

Reviews

Discussion

Written by