Authentication overview
Open-Meteo provides access to its suite of weather APIs, including current weather, historical data, and forecasts. For many basic use cases and within the free tier, Open-Meteo's API endpoints can often be accessed without an explicit API key. The service primarily uses IP address-based rate limiting for unauthenticated requests. However, for consistent service, higher rate limits, and accurate usage tracking, particularly for Open-Meteo paid plans, utilizing an API key is the recommended practice.
An API key serves as a unique identifier for your application, allowing Open-Meteo to monitor and manage your API usage. It helps enforce rate limits specific to your account and ensures that your application receives the appropriate service level. While some APIs, like Google Maps Platform APIs, strictly require API keys for all requests, Open-Meteo offers flexibility for introductory usage while recommending keys for sustained or high-volume access.
When an API key is used, it is typically passed as a query parameter in your API requests. This method is straightforward to implement and manage, making it suitable for applications where ease of integration is a priority. Understanding how to obtain and securely manage your API key is crucial for reliable interaction with Open-Meteo's services.
Supported authentication methods
Open-Meteo primarily supports API key authentication for managing access and usage of its weather data APIs. This method is common for services that require straightforward access control and rate limiting without the complexity of more advanced protocols like OAuth 2.0.
The API key is a unique string that identifies your application. When included in an API request, it signals to the Open-Meteo server which account is making the request, enabling the application of specific rate limits or access permissions associated with that account.
API Key
This is the primary method for authenticating with Open-Meteo, especially for users on paid plans or those requiring higher request volumes. The API key is typically appended to the request URL as a query parameter.
- How it works: You obtain a unique API key from your Open-Meteo account dashboard. This key is then included in your API requests.
- Purpose: Primarily used for rate limiting, usage tracking, and enabling access to higher request volumes or specific features available with a paid subscription.
- Security considerations: API keys should be treated as sensitive credentials. They grant access to your allocated API usage and should be protected against unauthorized disclosure.
Open-Meteo does not currently support more complex authentication flows such as OAuth 2.0, which is often used for delegated authorization in applications requiring user consent for third-party access, as seen with OAuth 2.0 specifications. For Open-Meteo, the focus remains on direct application access via API keys.
| Method | When to Use | Security Level |
|---|---|---|
| API Key | For all authenticated requests, paid plans, or when exceeding free tier IP-based limits. | Medium (requires secure handling of the key) |
| (No Authentication) | For free tier usage up to 10,000 requests/day where IP-based rate limiting is sufficient. | Low (no specific credential required) |
Getting your credentials
To obtain an API key for Open-Meteo, you generally need to register for an account on their platform. The process is typically straightforward and involves a few steps:
- Create an Open-Meteo Account: Navigate to the Open-Meteo homepage and register for a new account if you don't already have one. This usually involves providing an email address and creating a password.
- Access Your Dashboard: Once registered and logged in, you should be able to access your personal account dashboard. This is where you manage your subscriptions, view usage statistics, and generate API keys.
- Generate an API Key: Within the dashboard, look for a section related to 'API Keys', 'Credentials', or 'Settings'. There will typically be an option to generate a new API key. Follow the prompts to create your key. Some services allow you to name your keys for easier management, especially if you plan to use multiple keys for different applications.
- Copy Your API Key: Once generated, your API key will be displayed. It's crucial to copy this key immediately and store it securely, as it may not be retrievable again for security reasons (only regenerated).
The API key is a long string of alphanumeric characters. This key is unique to your account and should be treated as a sensitive credential. Losing or compromising your API key could lead to unauthorized use of your Open-Meteo quota. Refer to the Open-Meteo documentation for the most up-to-date and specific instructions on API key generation, as processes can occasionally change.
For development and testing, obtaining an API key is a fundamental step to ensure your application can interact with the Open-Meteo APIs reliably, especially if you anticipate exceeding the free tier's unauthenticated request limits.
Authenticated request example
Once you have obtained your API key from the Open-Meteo dashboard, you can include it in your API requests. For Open-Meteo, the API key is typically passed as a query parameter in the URL. Below is an example using a hypothetical API key YOUR_API_KEY.
Consider a request to the Open-Meteo Weather Forecast API for a specific location. The base URL for the forecast API might look like this (refer to Open-Meteo Forecast API documentation for exact endpoints):
# Example using curl
curl "https://api.open-meteo.com/v1/forecast?latitude=52.52&longitude=13.41&daily=temperature_2m_max,temperature_2m_min&timezone=Europe%2FBerlin&apikey=YOUR_API_KEY"
In this example:
https://api.open-meteo.com/v1/forecastis the base endpoint for the weather forecast.latitude=52.52&longitude=13.41specify the geographical coordinates for the forecast.daily=temperature_2m_max,temperature_2m_minrequests specific daily weather variables.timezone=Europe%2FBerlinsets the timezone for the forecast data.apikey=YOUR_API_KEYis the query parameter where you replaceYOUR_API_KEYwith the actual key obtained from your Open-Meteo account.
Python example:
import requests
api_key = "YOUR_API_KEY" # Replace with your actual API key
latitude = 52.52
longitude = 13.41
url = f"https://api.open-meteo.com/v1/forecast?latitude={latitude}&longitude={longitude}&daily=temperature_2m_max,temperature_2m_min&timezone=Europe%2FBerlin&apikey={api_key}"
response = requests.get(url)
if response.status_code == 200:
data = response.json()
print(data)
else:
print(f"Error: {response.status_code} - {response.text}")
This Python snippet demonstrates how to construct and send a GET request including the API key. Remember to replace "YOUR_API_KEY" with your actual key before running the code. Always refer to the Open-Meteo official documentation for specific endpoint details, required parameters, and any updates to their authentication method.
Security best practices
Securing your Open-Meteo API key is essential to prevent unauthorized usage, protect your account's rate limits, and ensure the integrity of your applications. Adhering to security best practices helps mitigate risks associated with credential exposure.
1. Environment Variables and Configuration Files
Never hardcode API keys directly into your source code. Hardcoding exposes your key in version control systems (like Git) and makes it difficult to rotate keys without code changes. Instead, store your API key in:
- Environment variables: For server-side applications, use environment variables (e.g.,
OPEN_METEO_API_KEY). This keeps the key separate from your codebase and allows for easy updates without redeploying code. - Configuration files: For local development or smaller projects, use a
.envfile or a dedicated configuration file (e.g.,config.json,settings.ini). Ensure these files are excluded from version control using.gitignoreor similar mechanisms.
2. Server-side Calls
When possible, make API calls from your backend server rather than directly from client-side applications (e.g., web browsers, mobile apps). If your API key is embedded in client-side code, it can be easily extracted by anyone inspecting the client-side source, leading to unauthorized use. A server-side proxy can add the API key before forwarding the request to Open-Meteo, keeping the key hidden from the end-user.
3. Restrict Key Usage (if available)
While Open-Meteo's current API key system does not offer fine-grained restrictions like IP address whitelisting or domain restrictions, it's a general best practice for API keys. If Open-Meteo introduces such features in the future, leverage them to limit where and how your key can be used. This adds a layer of defense even if a key is compromised.
4. Rotate API Keys Regularly
Periodically generate new API keys and revoke old ones. Regular key rotation minimizes the window of opportunity for a compromised key to be exploited. Establish a schedule for rotation (e.g., quarterly) or immediately rotate keys if you suspect compromise.
On the Open-Meteo dashboard, you should find an option to regenerate or revoke existing keys.
5. Monitor Usage
Regularly check your Open-Meteo account dashboard for unusual spikes in API usage. Unexpected usage patterns could indicate a compromised key or an unintended loop in your application. Timely monitoring allows for quick detection and response to potential security incidents.
6. Secure Development Practices
Integrate security considerations into your development lifecycle. This includes:
- Secure coding practices: Follow guidelines for secure data handling and input validation to prevent vulnerabilities like injection attacks.
- Access control: Limit who has access to your API keys within your team or organization. Use role-based access control (RBAC) where appropriate.
- Logging: Implement adequate logging to track API requests and potential errors, which can aid in incident response.
By implementing these security measures, you can significantly reduce the risk of unauthorized access and ensure the secure operation of your applications relying on Open-Meteo's weather data.