IPMA Authentication: Accessing Meteorological Data (2026)

Authentication overview

The IPMA (Instituto Português do Mar e da Atmosfera) API offers meteorological, climatological, geophysical, and marine data primarily for Portugal. For most public and non-commercial uses, the IPMA API does not require explicit authentication credentials like API keys or tokens. This model simplifies access for developers integrating weather data into non-commercial applications or academic research projects IPMA API documentation. Users can query various endpoints directly without needing to register or manage authentication tokens.

However, specific scenarios, such as commercial applications, requests for higher rate limits, or access to specialized datasets, may necessitate a formal agreement with IPMA. In these cases, IPMA would provide tailored authentication methods and credentials. This structure allows IPMA to manage resource allocation and ensure fair use across its public and commercial user bases, aligning with its mission to provide public meteorological services IPMA's official website.

Developers should consult the official IPMA API documentation for any updates regarding authentication policies or specific endpoint requirements. While the general policy is unauthenticated access for public use, changes to API versions or the introduction of new services could potentially introduce new authentication requirements.

Supported authentication methods

For the primary public-facing IPMA API, explicit authentication methods are generally not required. This means developers can make direct HTTP GET requests to the API endpoints without including headers or query parameters for authentication. This approach is common for public data APIs where the primary goal is broad dissemination of information.

For commercial or high-volume usage, IPMA's authentication methods are determined on a case-by-case basis through direct agreement. These methods could potentially include:

• API Keys: A unique string passed in a header or query parameter to identify the client application.
• OAuth 2.0: An industry-standard protocol for delegated authorization, often used for third-party applications to access user data without sharing credentials OAuth 2.0 specification.
• Basic Authentication: Transmitting a username and password with each request, typically Base64-encoded.

The specific method, if required, would be detailed in the commercial agreement and accompanying documentation provided by IPMA. Developers seeking commercial access should initiate contact with IPMA to discuss their specific needs and receive guidance on the appropriate authentication mechanism.

Authentication Methods Summary

Getting your credentials

For the standard public IPMA API, no specific credentials are required. Developers can begin making requests immediately after reviewing the API documentation to understand available endpoints and data structures IPMA API reference. This unauthenticated access streamlines the onboarding process for non-commercial users.

If your project requires commercial use, higher request volumes, or access to restricted datasets, you must contact IPMA directly to discuss your requirements. The process for obtaining credentials in such cases typically involves:

1. Initial Contact: Reach out to IPMA through their official channels, often found on their main website or within the API documentation's contact section.
2. Requirement Assessment: Explain your use case, expected data volume, and any specific data needs.
3. Agreement & Terms: IPMA will review your request and, if approved, provide a commercial agreement outlining terms of service, pricing (if applicable), and specific access details.
4. Credential Issuance: Upon agreement, IPMA will issue the necessary credentials, such as an API key, client ID, or client secret, along with instructions on how to use them.
5. Integration Support: IPMA may offer guidance or specific documentation for integrating the authenticated access into your application.

It is crucial to follow IPMA's official procedures for commercial access to ensure compliance with their terms of service and to maintain reliable access to their data. Attempting to circumvent rate limits or access restricted data without proper authorization may result in IP address blocking or service termination.

Authenticated request example

Since the primary public IPMA API does not require explicit authentication, a typical request example would simply involve an HTTP GET call to an endpoint. For instance, to retrieve weather forecasts for a specific location in Portugal, you might use an endpoint like /forecast/meteorology/cities/daily/{globalIdLocal}.

Here's an example using curl to fetch daily weather data for a city (e.g., Lisbon, with globalIdLocal 1110600):

curl -X GET "https://api.ipma.pt/open-api/forecast/meteorology/cities/daily/1110600"

This request directly accesses the public endpoint without any authentication headers or parameters. The response would typically be a JSON object containing meteorological data for Lisbon.

Example of a hypothetical authenticated request (for commercial use, if an API key were issued):

If IPMA were to issue an API key (e.g., YOUR_API_KEY) for commercial access, and instruct you to pass it as a header named X-API-Key, an authenticated request might look like this:

curl -X GET \
  -H "X-API-Key: YOUR_API_KEY" \
  "https://api.ipma.pt/open-api/forecast/meteorology/cities/daily/1110600"

This example is illustrative. The actual method for passing credentials (e.g., header name, query parameter, OAuth token) would be specified by IPMA in their commercial agreement documentation. Always refer to the specific instructions provided by IPMA for authenticated access.

Security best practices

Even when an API does not require explicit authentication for public access, adhering to security best practices is essential for responsible API consumption and application development. For IPMA API users, consider the following:

• Use HTTPS: All communication with the IPMA API should occur over HTTPS. This encrypts data in transit, protecting against eavesdropping and tampering, even for public data endpoints. The IPMA API inherently supports HTTPS, and developers should ensure their client libraries or tools are configured to use it. The IETF's RFC 2818 details HTTP over TLS (HTTPS) for secure communication RFC 2818: HTTP Over TLS.
• Manage API Keys Securely (if applicable): If you obtain an API key for commercial access, treat it as sensitive information.
• Environment Variables: Store API keys in environment variables rather than hardcoding them directly into your source code.
• Secrets Management: For production environments, use a dedicated secrets management service (e.g., AWS Secrets Manager, Google Cloud Secret Manager, Azure Key Vault) to store and retrieve API keys securely AWS Secrets Manager documentation.
• Access Control: Restrict access to API keys to only authorized personnel and systems.
• Never Expose in Client-Side Code: Do not embed API keys directly in client-side code (e.g., JavaScript in a web browser or mobile app) where they can be easily extracted by users.
• Implement Rate Limit Handling: Even public APIs have rate limits to prevent abuse. Implement proper error handling for rate limit exceeded responses (e.g., HTTP 429 Too Many Requests) and incorporate exponential backoff or retry mechanisms to avoid being blocked.
• Validate and Sanitize Inputs: When constructing API requests, especially if parameters are user-supplied, validate and sanitize all inputs to prevent injection attacks or malformed requests that could lead to unexpected behavior or security vulnerabilities in your application.
• Monitor API Usage: Keep track of your application's API usage patterns. This helps in identifying unusual activity that might indicate a compromise or an unexpected increase in requests, allowing you to react proactively.
• Stay Updated: Regularly check the IPMA API documentation for any updates to authentication methods, security policies, or new best practices.