Authentication overview

Micro Weather secures access to its Hyperlocal Weather API, Historical Weather Data, and Weather Forecasts through an API key-based authentication system. This mechanism requires developers to include a unique, secret key with each request to prove their identity and authorize access to the requested data. The API key serves as the primary credential for identifying the calling application or user and associating requests with a specific account's usage limits and subscription plan, such as the Micro Weather Developer Plan or Basic Plan.

The use of API keys simplifies the integration process while providing a foundational level of security. All communications with the Micro Weather API are expected to occur over HTTPS/TLS to encrypt data in transit, further protecting the API key and the data exchanged. This approach aligns with common practices for RESTful API authentication, where API keys offer a balance between ease of use and necessary security measures for managing access to sensitive or rate-limited resources.

While API keys are straightforward to implement, their security relies heavily on how they are managed and protected by the developer. Best practices, such as avoiding hardcoding keys and using environment variables, are crucial to prevent unauthorized access. The Micro Weather official documentation provides detailed guidance on securely handling these credentials.

Supported authentication methods

Micro Weather primarily supports API key authentication for accessing its services. This method is suitable for most server-to-server and backend applications where the API key can be securely stored and managed. The API key is typically passed as a query parameter or an HTTP header in each request.

Method When to Use Security Level
API Key (Query Parameter) Quick integration, public data access where key exposure is acceptable (e.g., client-side applications with strict rate limits and IP restrictions). Less secure if key is exposed. Moderate (requires HTTPS, client-side exposure risk)
API Key (HTTP Header) Preferred for server-side applications, backend services, and any scenario where the key should not appear in URLs or logs. More secure than query parameters. High (requires HTTPS, server-side protection)

For enhanced security and to adhere to modern API security standards, Micro Weather recommends transmitting API keys via HTTP headers whenever possible, especially for server-side integrations. This practice helps prevent the key from being logged in web server access logs or browser history, which can occur when keys are passed as query parameters. Regardless of the method, all requests to the Micro Weather API must use HTTPS (TLS) to encrypt the connection and protect the API key from interception during transit. The Cloudflare guide on SSL/TLS provides a foundational understanding of secure communication protocols.

Getting your credentials

To obtain your Micro Weather API key, follow these steps:

  1. Sign Up or Log In: Navigate to the Micro Weather homepage and either create a new account or log in to your existing one.
  2. Access Dashboard: Once logged in, you will be redirected to your Micro Weather developer dashboard.
  3. Locate API Keys Section: Within the dashboard, look for a section labeled "API Keys" or "Credentials."
  4. Generate New Key (if needed): If you don't have an existing key or wish to generate a new one, there will typically be an option to "Generate New Key" or "Create API Key."
  5. Copy Your Key: Your unique API key will be displayed. Copy this key immediately and store it securely. Micro Weather typically only displays the full key once upon generation for security reasons.
  6. Configure Permissions (Optional): Depending on your plan and the specific Micro Weather services you intend to use, you may have options to configure permissions or restrictions for your API key, such as IP address whitelisting or specific API endpoint access. Consult the Micro Weather documentation for details on managing key permissions.

It is critical to treat your API key as a sensitive credential, similar to a password. Do not embed it directly into client-side code, commit it to version control systems like Git, or expose it in public repositories. Instead, use environment variables or a secure configuration management system to store and retrieve your key.

Authenticated request example

Micro Weather provides SDKs for Python, Node.js, Java, and Go to simplify integration. The following example demonstrates how to make an authenticated request using the API key in a common scenario, such as fetching current weather data for a specific location. These examples assume your API key is stored in an environment variable named MICRO_WEATHER_API_KEY.

Python Example

Using the Micro Weather Python SDK:

import os
import microweather

# Retrieve API key from environment variable
api_key = os.environ.get('MICRO_WEATHER_API_KEY')

if api_key:
    microweather.api_key = api_key
    try:
        # Example: Get current weather for a location (latitude, longitude)
        current_weather = microweather.CurrentWeather.get(latitude=34.0522, longitude=-118.2437)
        print("Current Temperature:", current_weather.temperature, "°C")
        print("Condition:", current_weather.condition)
    except microweather.exceptions.MicroWeatherAPIError as e:
        print(f"API Error: {e}")
else:
    print("Error: MICRO_WEATHER_API_KEY environment variable not set.")

Node.js Example

Using the Micro Weather Node.js SDK:

require('dotenv').config(); // For loading .env files
const MicroWeather = require('microweather-sdk');

// Retrieve API key from environment variable
const apiKey = process.env.MICRO_WEATHER_API_KEY;

if (apiKey) {
  const client = new MicroWeather(apiKey);

  async function getCurrentWeather() {
    try {
      // Example: Get current weather for a location (latitude, longitude)
      const weather = await client.currentWeather.get({ latitude: 34.0522, longitude: -118.2437 });
      console.log('Current Temperature:', weather.temperature, '°C');
      console.log('Condition:', weather.condition);
    } catch (error) {
      console.error('API Error:', error.message);
    }
  }

  getCurrentWeather();
} else {
  console.error('Error: MICRO_WEATHER_API_KEY environment variable not set.');
}

Raw HTTP Request Example (using curl)

If you are not using an SDK, you can make direct HTTP requests. This example demonstrates including the API key as a query parameter. For production, consider passing it as an Authorization header if the API supports it, or ensure robust server-side protection.

export MICRO_WEATHER_API_KEY="YOUR_SECRET_API_KEY"

curl -X GET \
  "https://api.microweather.com/v1/current?latitude=34.0522&longitude=-118.2437&apiKey=$MICRO_WEATHER_API_KEY" \
  -H "Accept: application/json"

Refer to the Micro Weather API Reference for specific endpoint details and required parameters.

Security best practices

Securely managing your Micro Weather API keys is essential to prevent unauthorized access to your account and data. Adhere to the following best practices:

  • Protect Your API Key: Treat your API key as a sensitive secret. Never hardcode it directly into your application's source code, especially for client-side applications. Avoid committing it to public version control systems (e.g., GitHub, GitLab).
  • Use Environment Variables: Store API keys in environment variables on your server or development machine. This isolates the key from your codebase and allows for easier rotation without code changes. Most programming languages and frameworks provide straightforward ways to access environment variables.
  • Server-Side Access Only: Whenever possible, make API calls from your backend servers rather than directly from client-side applications (web browsers, mobile apps). This prevents your API key from being exposed to end-users, where it could be inspected and potentially compromised.
  • Restrict Key Permissions: If Micro Weather offers options to configure API key permissions, enable only the necessary access rights for each key. For instance, if a key only needs to read weather data, do not grant it write or administrative privileges.
  • IP Whitelisting: If supported, configure IP address restrictions for your API key. This ensures that requests using the key are only accepted from a predefined list of trusted server IP addresses, significantly reducing the risk of unauthorized use if the key is compromised.
  • Regular Key Rotation: Periodically generate new API keys and revoke old ones. This practice limits the window of opportunity for a compromised key to be exploited. The recommended rotation frequency depends on your security policy and risk assessment.
  • Monitor API Usage: Regularly review your API usage statistics in the Micro Weather dashboard. Unusual spikes in usage or requests from unexpected locations could indicate a compromised key.
  • HTTPS/TLS Enforcement: Always ensure that all communications with the Micro Weather API use HTTPS (TLS) to encrypt data in transit. This protects your API key and the data being exchanged from eavesdropping.
  • Error Handling: Implement robust error handling in your application to gracefully manage authentication failures. Avoid logging API keys in plain text in error messages or application logs.
  • Review Micro Weather Documentation: Stay updated with the Micro Weather documentation for any new security features or recommended practices.

By adhering to these security best practices, developers can significantly enhance the protection of their Micro Weather API keys and maintain the integrity of their applications.