To use OS APIs you need to authenticate your requests. Before you can authenticate requests you need to add the API into an API Project in the OS Data Hub; this gives you access to a Project API Key and Project API Secret. See Getting started with an API project for more information on setting up your API Project.
Types of authentication
There are three options for authenticating your API requests:
OAuth2
Using OAuth 2 for authentication is a two-stage process. First you use the Project API Key and Secret to create an access token, and then you include the access token in an Authorization header on your API request. The value of the Authorization header should be 'Bearer', a space, and then the access token, e.g. Bearer <accessToken>.
See the OAuth 2 API documentation for detailed instructions on how to create an access token.
HTTP Header
You can choose to authenticate your API request using a HTTP header. The header name should be key, and the value should be the Project API Key.
HTTP Query Parameter
You can choose to authenticate your API request using a HTTP query parameter. The parameter name should be key, and the value should be the Project API Key.
Best practices
Keep your API keys and tokens secure at all times.
Rotate your keys periodically to minimize the risk of unauthorised access.
Monitoring and alerts
Regularly check the usage patterns of your API keys.
Set up alerts for unusual or unauthorised activities that could indicate a security breach.
