Authentication
All API requests must be authenticated with a subscription key. This page covers how to obtain your keys, include them in requests, and handle authentication errors.
Add this header to every request:
Ocp-Apim-Subscription-Key: YOUR_API_KEYGet your key from the API Keys dashboard.
Subscription Key Header
Include your subscription key in the Ocp-Apim-Subscription-Key header with every request. This is the recommended authentication method.
curl -H "Ocp-Apim-Subscription-Key: YOUR_API_KEY" \
"https://api.preflightapi.io/api/v1/metars/KJFK"curl -H "Ocp-Apim-Subscription-Key: YOUR_API_KEY" \
"https://api.preflightapi.io/api/v1/metars/KJFK"Obtaining Your Keys
API keys are provisioned automatically when you create an account. You can view and manage them from the API Keys page in your dashboard.
- Each subscription includes a primary and secondary key. Both work identically for authenticating requests.
- Keys are scoped to your subscription and carry the permissions of your current plan tier.
- When you upgrade or downgrade your plan, your existing keys remain the same — only the tier permissions change.
Key Rotation
Having two keys allows zero-downtime rotation. Here's the recommended process:
- Update your application to use the secondary key.
- Regenerate the primary key from your dashboard.
- Update your application to use the new primary key.
- Optionally regenerate the secondary key for a full rotation.
Environment Setup
Store your API key in an environment variable to keep it out of source code.
# Export the key in your shell
export PREFLIGHT_API_KEY="your-subscription-key-here"
curl -H "Ocp-Apim-Subscription-Key: $PREFLIGHT_API_KEY" \
"https://api.preflightapi.io/api/v1/metars/KJFK"# Export the key in your shell
export PREFLIGHT_API_KEY="your-subscription-key-here"
curl -H "Ocp-Apim-Subscription-Key: $PREFLIGHT_API_KEY" \
"https://api.preflightapi.io/api/v1/metars/KJFK"# .env (add to .gitignore!)
PREFLIGHT_API_KEY=your-subscription-key-hereSecurity Best Practices
- Never embed API keys in client-side code (browser JavaScript, mobile apps). Make API calls from your backend server.
- Add
.envto your.gitignoreto prevent accidental commits of keys to version control. - Use environment variables or a secrets manager in production (e.g., AWS Secrets Manager, Azure Key Vault).
- Rotate keys periodically using the regenerate function in your dashboard.
- If a key is compromised, regenerate it immediately from the API Keys page.
Tier-Based Access Control
Your API key carries the permissions of your subscription plan. Certain endpoints are restricted to higher tiers. If your key is valid but your plan does not include access to the requested endpoint, the API returns a 403 Forbidden response:
{
"error": "This endpoint is not available on the Free tier. Please upgrade to Private or Commercial."
}See the endpoint access table on the overview page for a full breakdown of which endpoints are available on each plan, or visit pricing to compare plans.
Authentication Errors
If authentication fails (missing key, invalid key, or expired subscription), the API gateway returns a 401 Unauthorized response:
{
"statusCode": 401,
"message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription."
}| Status | Cause | Resolution |
|---|---|---|
401 | Missing or invalid subscription key | Check that the Ocp-Apim-Subscription-Key header is present and contains a valid key |
403 | Valid key, but endpoint not available on your plan | Upgrade your subscription to a plan that includes access to this endpoint |
429 | Rate limit or monthly quota exceeded | Check the error field: RateLimitExceeded (retry after delay) or QuotaExceeded (wait for reset or upgrade) |