Authentication
All API requests must be authenticated with a subscription key. This page covers how to obtain your keys, include them in requests, and handle authentication errors.
Subscription Key Header
Include your subscription key in the Ocp-Apim-Subscription-Key header with every request. This is the recommended authentication method.
curl -H "Ocp-Apim-Subscription-Key: YOUR_API_KEY" \
"https://preflightapi-apim-service-test.azure-api.net/api/v1/metars/KJFK"Query Parameter Alternative
If adding a custom header is not possible in your environment, you can pass the key as a subscription-key query parameter instead. The header method is preferred since query parameters may appear in server logs and browser history.
curl "https://preflightapi-apim-service-test.azure-api.net/api/v1/metars/KJFK?subscription-key=YOUR_API_KEY"Obtaining Your Keys
API keys are provisioned automatically when you create an account. You can view and manage them from the API Keys page in your dashboard.
- Each subscription includes a primary and secondary key. Both work identically for authenticating requests.
- Keys are scoped to your subscription and carry the permissions of your current plan tier.
- When you upgrade or downgrade your plan, your existing keys remain the same — only the tier permissions change.
Key Rotation
Having two keys allows zero-downtime rotation. Here's the recommended process:
- Update your application to use the secondary key.
- Regenerate the primary key from your dashboard.
- Update your application to use the new primary key.
- Optionally regenerate the secondary key for a full rotation.
Environment Setup
Store your API key in an environment variable to keep it out of source code.
// Read from environment variable
const API_KEY = process.env.PREFLIGHT_API_KEY!
const response = await fetch(
'https://preflightapi-apim-service-test.azure-api.net/api/v1/metars/KJFK',
{
headers: { 'Ocp-Apim-Subscription-Key': API_KEY },
},
)Security Best Practices
- Never embed API keys in client-side code (browser JavaScript, mobile apps). Make API calls from your backend server.
- Add
.envto your.gitignoreto prevent accidental commits of keys to version control. - Use environment variables or a secrets manager in production (e.g., AWS Secrets Manager, Azure Key Vault).
- Rotate keys periodically using the regenerate function in your dashboard.
- If a key is compromised, regenerate it immediately from the API Keys page.
Tier-Based Access Control
Your API key carries the permissions of your subscription plan. Certain endpoints are restricted to higher tiers. If your key is valid but your plan does not include access to the requested endpoint, the API returns a 403 Forbidden response:
{
"error": "This endpoint is not available on the Free tier. Please upgrade to Starter or Professional."
}See the endpoint access table on the overview page for a full breakdown of which endpoints are available on each plan, or visit pricing to compare plans.
Authentication Errors
If authentication fails (missing key, invalid key, or expired subscription), the API gateway returns a 401 Unauthorized response:
{
"statusCode": 401,
"message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription."
}| Status | Cause | Resolution |
|---|---|---|
401 | Missing or invalid subscription key | Check that the Ocp-Apim-Subscription-Key header is present and contains a valid key |
403 | Valid key, but endpoint not available on your plan | Upgrade your subscription to a plan that includes access to this endpoint |
403 | Monthly quota exceeded | Wait for your monthly quota to reset or upgrade your plan |