What authentication method does OpenFIGI use?

OpenFIGI exclusively uses API key authentication. You must include a unique API key with every request to identify your application and manage usage.

How do I get an OpenFIGI API key?

You can obtain an API key by registering for an account on the official OpenFIGI website. After registration and email verification, you can generate your key from your account dashboard.

Where do I include the API key in my requests?

The API key must be included in the HTTP header named `X-OPENFIGI-APIKEY` for all requests to the OpenFIGI API endpoints.

Is OpenFIGI API key authentication secure?

Its security relies on keeping the key confidential and transmitting it over HTTPS. Treat it like a password and avoid hardcoding it or exposing it publicly.

Can I use OAuth 2.0 or other methods with OpenFIGI?

No, OpenFIGI does not support OAuth 2.0, mutual TLS, or other advanced authentication methods. API key is the only supported mechanism.

What happens if my OpenFIGI API key is compromised?

If your API key is compromised, immediately generate a new key from your OpenFIGI account dashboard. This will invalidate the old key and prevent unauthorized use.

Are there rate limits on OpenFIGI API usage?

Yes, OpenFIGI applies rate limits to all API key users. These limits vary for free and commercial usage tiers and are detailed in their official documentation.

OpenFIGI Authentication: API Key Access & Security (2026)

OpenFIGI authentication: The OpenFIGI API uses an API key to control access and manage usage. This key, passed via a request header, identifies the user for rate limiting and ensures legitimate API consumption. It is required for all requests to the OpenFIGI service, facilitating both free and commercial access.

Authentication overview

OpenFIGI provides a free API service for mapping conventional security identifiers to Financial Instrument Global Identifiers (FIGIs) and their associated metadata. Access to the OpenFIGI API is managed through a single authentication method: the API key. This key serves as a unique identifier for each user, enabling OpenFIGI to apply rate limits and ensure fair usage across its user base, which includes both non-commercial and commercial applications. All requests made to the OpenFIGI API endpoints require the inclusion of a valid API key.

The API key is a secret credential that must be protected from unauthorized access. It is passed as an HTTP header with each API request, allowing the OpenFIGI server to verify the request's origin and associate it with a registered user account. The system does not support alternative authentication flows such as OAuth 2.0 or mutual TLS, simplifying integration for developers while placing the responsibility for key security on the user.

Supported authentication methods

OpenFIGI exclusively supports API key authentication. This method is common for public APIs that prioritize ease of integration and controlled access through rate limiting rather than complex authorization scopes.

OpenFIGI Authentication Methods
Method	When to Use	Security Level
API Key	All API requests to identify users and enforce rate limits.	Moderate (relies on key secrecy and secure transmission over HTTPS).

An API key is a unique string that functions like a password for your application when interacting with the OpenFIGI API. It is designed to be included directly in your API calls. The primary security measure for API keys is keeping them confidential and ensuring they are transmitted over secure channels (HTTPS).

Getting your credentials

To obtain an OpenFIGI API key, you must register on the official OpenFIGI website. The process typically involves these steps:

Visit the OpenFIGI Website: Navigate to the OpenFIGI homepage.
Register for an Account: Look for a "Get API Key" or "Register" link. You will likely need to provide an email address and create a password.
Verify Email: An email verification step is common to confirm your ownership of the provided email address.
Generate API Key: Once registered and logged in, there should be a section in your account dashboard to generate your API key. The key will be displayed as a unique alphanumeric string.
Store Your Key Securely: Copy your API key and store it in a secure location. Avoid hardcoding it directly into your application's source code, especially for public repositories. Environment variables or a secure configuration management system are preferred.

OpenFIGI does not impose specific requirements for key rotation, but it is a general security practice to consider periodic rotation for long-lived credentials. If your API key is compromised, you can typically generate a new one from your account dashboard, which will invalidate the old key.

Authenticated request example

Once you have obtained your API key, you will include it in the X-OPENFIGI-APIKEY HTTP header for every request to the OpenFIGI API. The API supports POST requests for mapping identifiers.

Here's an example using curl to map an ISIN to a FIGI, demonstrating how to include the API key:

curl -X POST \
  https://api.openfigi.com/v3/mapping \
  -H 'Content-Type: application/json' \
  -H 'X-OPENFIGI-APIKEY: YOUR_API_KEY_HERE' \
  -d '[{
    "idType": "ID_ISIN",
    "idValue": "US0378331005"
  }]'

In this example:

YOUR_API_KEY_HERE should be replaced with your actual OpenFIGI API key.
The -H 'X-OPENFIGI-APIKEY: ...' flag adds the necessary authentication header.
The -H 'Content-Type: application/json' header indicates the request body format.
The -d flag provides the JSON payload containing the identifier to be mapped.

For programmatic access, integrate the API key into your HTTP client's header configuration. Here's a Python example using the requests library:

import requests
import json

api_key = "YOUR_API_KEY_HERE"
url = "https://api.openfigi.com/v3/mapping"

headers = {
    "Content-Type": "application/json",
    "X-OPENFIGI-APIKEY": api_key
}

job = [
    {
        "idType": "ID_ISIN",
        "idValue": "US0378331005"
    }
]

response = requests.post(url, headers=headers, data=json.dumps(job))

if response.status_code == 200:
    print(json.dumps(response.json(), indent=2))
else:
    print(f"Error: {response.status_code} - {response.text}")

This Python snippet demonstrates how to construct the headers and payload for an authenticated request, process the response, and handle potential errors.

Security best practices

Securing your OpenFIGI API key is critical to prevent unauthorized usage and potential service disruptions due to exceeding rate limits or misuse. Adhere to these security best practices:

Keep API Keys Confidential: Treat your API key like a password. Do not hardcode it directly into client-side code (e.g., JavaScript running in a browser) or commit it to version control systems like Git without proper encryption or exclusion.
Use Environment Variables: For server-side applications, store API keys in environment variables. This keeps them out of your codebase and allows for easy rotation without code changes. For example, in Python: os.environ.get('OPENFIGI_API_KEY').
Secure Configuration Files: If using configuration files, ensure they are not publicly accessible and use file permissions to restrict access. Consider using dedicated secrets management services (e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault) for production environments to manage and retrieve secrets securely.
Transmit Over HTTPS Only: Always ensure your API calls are made over HTTPS. This encrypts the communication channel, protecting your API key from interception during transit. OpenFIGI's API endpoints are exclusively served over HTTPS.
Implement Rate Limit Handling: While not a direct security measure, properly handling OpenFIGI's rate limits prevents your application from being temporarily blocked, which could be exploited in a denial-of-service scenario if not managed.
Monitor API Usage: Regularly monitor your API usage patterns. Unusual spikes in requests could indicate a compromised key or an application error.
Rotate Keys Periodically: Although OpenFIGI does not enforce key rotation, it is good security practice to periodically generate a new API key and update your applications. This mitigates the risk associated with a long-lived key being compromised. If you suspect your key has been exposed, immediately generate a new one via the OpenFIGI website and update all applications using the old key.
Least Privilege Principle: While OpenFIGI's API keys do not have granular permissions, in systems where they might, always grant the minimum necessary permissions for the task at hand.

OpenFIGI Authentication: API Key Access & Security (2026)

Authentication overview

Supported authentication methods

Getting your credentials

Authenticated request example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by