Last updated April 24th, 2026

Authentication

Every request to the Cryosphere Innovation REST API must include an API key. The key identifies the caller and determines which deployments they can read.

Generating a key

API keys are generated from your user settings. Under API Keys, click Generate new key.

Keys are shown in full exactly once, at the moment of creation — copy the value somewhere safe before closing the dialog. After that, only the first and last few characters are visible in the settings UI.

Revoke a key at any time by deleting it from the same panel; deletion is immediate and irreversible.

Passing the key

Include the key on every request in the Authorization header using the Bearer scheme:

Authorization header
Authorization: Bearer YOUR_API_KEY
Authorization header
Authorization: Bearer YOUR_API_KEY

Concretely, with curl:

curl
curl "https://api.cryosphereinnovation.com/public/deployments/" \
  -H "Authorization: Bearer YOUR_API_KEY"
curl
curl "https://api.cryosphereinnovation.com/public/deployments/" \
  -H "Authorization: Bearer YOUR_API_KEY"

If the header is missing or malformed, the API returns a 403 with a short JSON body. See Errors for the exact response shape.

Access rules

The public API is read-only. Your key grants access to:

  • Every public deployment — any deployment listed on the Data Portal is readable by any valid key.
  • Your private deployments — deployments you own, plus any private deployments where you've been added as a collaborator.

Deployments marked private are invisible to everyone else, including other authenticated users. There is no way to elevate access via the public API — collaborator status is managed by the deployment owner from the deployment's settings page.

Key security

Treat your API key with the same care as a password.

  • Do not commit keys to source control. Use an environment variable or secret manager.
  • Rotate keys regularly if they're exposed to client-side code (e.g. browser scripts). Generate a new key, swap it in, and delete the old one.
  • Keys do not expire automatically. A key stays valid until you delete it.

Browser access (CORS)

The API accepts cross-origin browser requests only from Cryosphere Innovation domains (cryosphereinnovation.com and its subdomains). Browser calls from other origins will be blocked by the browser's CORS policy before the request reaches the API.

If you need to query the API from a browser app hosted elsewhere, route the request through your own server-side code and forward the result to the client.

Next

  • Endpoints — URLs, query parameters, response schemas
  • Errors — authentication failure response bodies and other error codes
PreviousQuickstart
NextEndpoints