OnWater Authentication Methods & Security (2026)

Authentication overview

OnWater provides a specialized API designed to determine if a given geographic coordinate falls on water. To ensure that only authorized applications consume its services, OnWater implements a straightforward authentication mechanism based on API keys. An API key serves as a unique identifier and secret token that you include with each request to the OnWater API. This key allows the OnWater system to identify your application and verify your subscription level and usage limits. The simplicity of API key authentication makes it easy to integrate into various application types, from server-side scripts to client-side applications, while still providing a foundational layer of security for API access.

The OnWater API key is a string value that needs to be passed as a query parameter in your API requests. Without a valid and active API key, requests to the OnWater API will be rejected, typically with an authentication error. This mechanism is standard practice for many web services, offering a balance between ease of use and necessary access control. For detailed instructions, refer to the OnWater API documentation.

Supported authentication methods

OnWater primarily supports API key authentication. This method involves generating a unique key from your OnWater account dashboard and including it in your API requests. While other authentication protocols like OAuth 2.0 or mutual TLS are used by more complex APIs for granular permissions or enhanced security, OnWater's focused service model is well-suited to the simplicity and efficiency of API keys.

The API key acts as both an identifier and a secret. It identifies the calling application or user and authenticates the request against the OnWater service. The key is typically managed through the OnWater user interface, where users can generate new keys, revoke existing ones, and monitor their API usage. For a broader understanding of API key security, the Google Maps API key best practices offer relevant general guidance.

Authentication method details

Getting your credentials

To begin using the OnWater API, you first need to obtain an API key. This process typically involves registering for an account on the OnWater website and then navigating to your account dashboard. The steps are generally as follows:

1. Sign Up/Log In: Go to the OnWater homepage and either create a new account or log in to an existing one.
2. Access Dashboard: Once logged in, locate your user dashboard or account settings area. This is usually where API keys are managed.
3. Generate API Key: Within the dashboard, there should be an option to generate a new API key. Follow the prompts, which might include naming your key for organizational purposes.
4. Copy Key: Once generated, your API key will be displayed. It's crucial to copy this key immediately and store it securely, as it may not be displayed again for security reasons.
5. Review Usage: The dashboard also typically provides tools to monitor your API usage against your free tier or paid subscription limits.

OnWater offers a free tier of 5,000 requests per month, which is sufficient for testing and low-volume applications. Paid plans are available for higher request volumes. Always refer to the official OnWater documentation for the most current and precise instructions on credential acquisition.

Authenticated request example

Authenticating with the OnWater API involves including your API key as a query parameter in your HTTP GET requests. The API endpoint for checking if a coordinate is on water is straightforward. Below is an example demonstrating how to make an authenticated request using a placeholder API key and specific latitude/longitude coordinates.

Assume your API key is YOUR_ONWATER_API_KEY and you want to check the coordinates 40.7128 (latitude) and -74.0060 (longitude), which correspond to a point in New York City.

HTTP GET Request Structure

GET https://api.onwater.io/api/v1/results/40.7128,-74.0060?access_token=YOUR_ONWATER_API_KEY HTTP/1.1
Host: api.onwater.io

Example using cURL

curl "https://api.onwater.io/api/v1/results/40.7128,-74.0060?access_token=YOUR_ONWATER_API_KEY"

Example using Python (requests library)

import requests

api_key = "YOUR_ONWATER_API_KEY"
latitude = 40.7128
longitude = -74.0060

url = f"https://api.onwater.io/api/v1/results/{latitude},{longitude}?access_token={api_key}"

response = requests.get(url)

if response.status_code == 200:
    data = response.json()
    print(data) # {'lat': 40.7128, 'lon': -74.006, 'water': True, 'distance_to_land': 0.0, 'name': 'Lower Manhattan', 'source': 'WGS84'}
else:
    print(f"Error: {response.status_code} - {response.text}")

In these examples, replace YOUR_ONWATER_API_KEY with your actual API key obtained from your OnWater dashboard. The response will be a JSON object indicating whether the point is on water, along with other relevant details like distance_to_land and name of the water body if applicable. For more code examples and language-specific implementations, refer to the OnWater API documentation.

Security best practices

While API keys offer a straightforward authentication mechanism, it's crucial to implement them securely to prevent unauthorized access and potential abuse of your OnWater account. Adhering to these best practices will help protect your credentials and maintain the integrity of your applications:

• Do Not Embed Keys Directly in Client-Side Code: Avoid hardcoding API keys directly into front-end JavaScript, mobile applications, or any code that is publicly accessible. If an attacker gains access to your client-side code, they can extract your API key and use it. For client-side applications, consider using a backend proxy to make OnWater API requests, or implement IP restrictions if supported by OnWater.
• Use Environment Variables for Server-Side Applications: When deploying server-side applications, store your API key in environment variables rather than directly in your source code. This practice prevents the key from being committed to version control systems (like Git) and makes it easier to manage keys across different deployment environments (development, staging, production).
• Restrict API Key Usage: If OnWater offers features to restrict API key usage (e.g., by IP address, HTTP referrer, or specific API endpoints), configure these restrictions. Limiting where and how your key can be used significantly reduces the impact if the key is compromised. For example, if your application only makes requests from a specific server, restrict the key to that server's IP address.
• Rotate API Keys Regularly: Periodically generate new API keys and replace old ones in your applications. This practice, known as key rotation, limits the window of opportunity for a compromised key to be exploited. If you suspect a key has been compromised, revoke it immediately via your OnWater dashboard and generate a new one.
• Monitor API Usage: Regularly monitor your API usage patterns through your OnWater dashboard. Unexpected spikes in usage could indicate unauthorized access or a compromised key. Set up alerts if available to notify you of unusual activity.
• Secure Your Development Environment: Ensure that your development machines and build systems are secure. Malicious software or improper access controls in these environments can expose your API keys before deployment.
• Educate Your Team: Ensure that all developers and team members who work with OnWater API keys understand and follow established security protocols.
• Review OnWater Documentation: Always refer to the OnWater API documentation for any specific security recommendations or features they provide for key management.

By diligently applying these security best practices, you can mitigate many common risks associated with API key authentication and ensure the secure operation of your OnWater-powered applications.