LogoLogo
OS Docs HomeOS NGDOS APIsOS Download ProductsMore than MapsOS Data Hub
  • Introduction to OS APIs
  • Core Concepts
    • Getting started with an API project
    • Authentication
    • Error codes
    • Rate-limiting policy
    • OS API branding
    • Service level agreements
    • Service availability dashboard
  • Accessing OS APIs
    • OS Maps API
      • Layers and styles
      • Getting started
        • ESRI ArcGIS Online
        • ESRI ArcGIS Pro
        • ESRI ArcMap
        • Cadcorp SIS
        • MapInfo Pro
        • QGIS
      • Technical specification
        • ZXY
        • WMTS
      • Code examples
    • OS Vector Tile API
      • What data is available?
      • Getting started
        • ESRI ArcGIS Pro
        • Cadcorp SIS
        • QGIS
        • Create a web application using the OS Vector Tile API
      • Technical specification
        • Service Metadata
        • Stylesheet
        • Tile request
      • Code examples
      • Stylesheets
    • OS NGD API – Tiles
    • OS NGD API – Features
    • OS Features API
      • OS Product Archive
      • What data is available?
      • Getting started
        • ArcGIS Online
        • ArcGIS Pro
        • ArcMap
        • Cadcorp SIS
        • MapInfo Pro
        • QGIS
      • Technical specification
        • getCapabilities
        • describeFeatureType
        • getFeature
        • Filtering
        • Paging
        • Empty values
      • Code examples
    • OS Names API
      • Getting started with example queries using Node.js
      • Technical specification
        • Find
        • Nearest
      • Code list
      • Code examples
    • OS Linked Identifiers API
      • What data is available?
      • Getting started with implementing a look-up application
      • Technical specification
        • Identifier
        • Identifier Types
        • Feature Types
        • Product Version Information
      • Code examples
    • OS Places API
      • Getting started with example queries using Node.js
      • Technical specification
        • Find
        • Postcode
        • UPRN
        • Nearest
        • BBOX
        • Radius
        • Polygon
      • Datasets
      • Code lists
      • Code examples
    • OS Match & Cleanse API
      • End of Life Information
      • Getting started with an example match query using Node.js
      • Technical specification
      • Datasets
      • Code lists
    • OS Downloads API
      • Getting started
        • Automating OS OpenData downloads
        • Automating OS Premium data downloads
      • Technical specification
        • OpenData products
        • OpenData product details
        • Download an OpenData product
        • OpenData product image
        • Data packages
        • Data package ID
        • Data package version
        • Data package version ID
        • Download a data package
    • OAuth 2 API
      • Getting started
      • Technical specification
  • Additional resources
    • OS API Wrappers
      • JavaScript
      • Python
      • R
  • Extra Links
    • Accessibility
    • Contact us
    • PSGA Product Summary
    • Terms and conditions
Powered by GitBook
On this page
  • Implementing a server backend
  • Hiding API credentials
  • Implementing a proxy
  • Things to remember for OAuth2 API

Was this helpful?

  1. Accessing OS APIs

OAuth 2 API

PreviousDownload a data packageNextGetting started

Last updated 1 year ago

Was this helpful?

OAuth 2 is an industry-standard protocol for authorization. The mechanism for APIs that allows applications to use time-limited tokens for access to resources. A common use case for the OAuth 2 API is when implementing a web application that uses the OS Data Hub APIs. As the user’s browser is not a trusted environment, the author of the web application should not embed the project API key in the application code, but they do need the application to be able to access the API.

Implementing a server backend

One solution to this paradox is to implement a server backend which requests OAuth 2 access tokens using stored authentication credentials. The server backend can then provide the access token to the frontend application code. Once the frontend application code has the access token, it can use it to make HTTP calls directly to any of the OS Data Hub APIs that have been added to your OS Data Hub project. In the near future when the access token expires, the frontend application should call into the server backend requesting a new token before making further OS Data Hub API calls.

Using this implementation pattern prevents end-users from seeing your API authentication credentials, and as a result helps to prevent use of your subscription limits outside of your application.

Hiding API credentials

Please note that using the OAuth 2 API in this way hides your API credentials from public view. However, you should take additional steps in your server backend to ensure that you do not hand out access tokens to unauthorised users. A common option is to only grant access to tokens once the user has logged into the application. Once the end-user has received an access token you cannot monitor or control their use of it, as they can now invoke the OS Data Hub APIs directly.

Implementing a proxy

An alternative way to protect your API key is to implement a server backend that acts as a proxy for the OS Data Hub APIs. Using this approach, the proxy should validate the users’ request before adding in your Project API Key and passing the request on to the OS Data Hub API endpoint. As each request is passing through your proxy, you can exercise fine-grained control over the requests that you allow through. Common options would be to check that the user is logged in before allowing access, and/or validating that the query that the application is making matches a list of permitted queries.

There is no inherent difference to the level of security provided by the OAuth 2 or Proxy approaches, as the API access credentials are stored server-side in both cases.

For more information about OAuth 2, please see and .

Things to remember for OAuth2 API

You can:

  • Create time limited access tokens.

  • Hide your API access credentials from end-users.

  • Restrict the available APIs within the project.

You can't:

  • Restrict which data layers can be accessed using an access token.

  • View mapping or data without making additional calls to the relevant APIs.

oauth.net
aaronparecki.com