Authentication

To use OS APIs you need to authenticate your requests. Before you can authenticate requests you need to add the API into an API Project in the OS Data Hub; this gives you access to a Project API Key and Project API Secret. See Getting started with an API project for more information on setting up your API Project.

Types of authentication

There are three options for authenticating your API requests:

OAuth2

Using OAuth 2 for authentication is a two-stage process. First you use the Project API Key and Secret to create an access token, and then you include the access token in an Authorization header on your API request. The value of the Authorization header should be 'Bearer', a space, and then the access token, e.g. Bearer <accessToken>.

See the OAuth 2 API documentation for detailed instructions on how to create an access token.

HTTP Header

You can choose to authenticate your API request using a HTTP header. The header name should be key, and the value should be the Project API Key.

HTTP Query Parameter

You can choose to authenticate your API request using a HTTP query parameter. The parameter name should be key, and the value should be the Project API Key.

Best practices

Keep your API keys and tokens secure at all times.
Rotate your keys periodically to minimize the risk of unauthorised access.

Monitoring and alerts

Regularly check the usage patterns of your API keys.
Set up alerts for unusual or unauthorised activities that could indicate a security breach.

PreviousGetting started with an API project NextError codes

Last updated 1 year ago

Was this helpful?