Skip to content

08-05 Auth Token Rollout

2019-08-05

This is a short post detailing the rollout plan to require auth tokens in calls to AVWX.

tl;dr

  • Make a free account on the account page
  • Generate your (free) token
  • Start including the Authorization header or token URL parameter
  • November 1st, 2019: Tokens will be required
  • December 1st, 2019: Daily rate limits are assigned
  • January 1st, 2020: Daily rate limits will be enforced

Problem

Currently, I have no insight into how users are using the API beyond aggregate statistics and email correspondence. I would be able to

There is also the economic issue that the API's growth has been unsustainable based on donations and feature-based offerings. About 95% of all traffic is for METARs which is a free tier feature. Introducing rate limits to tiers should help make AVWX break-even while remaining free for most users.

Solution

API tokens will be required to call AVWX starting in November. This is to allow time to gather usage data to determine the daily rate limits for each tier. Here are the important dates:

  • November 1st, 2019: Tokens will be required
  • December 1st, 2019: Rate limits are assigned
  • January 1st, 2020: Rate limits will be enforced

This should hopefully be enough time to update your apps, choose the appropriate usage tier, and register any concerns with me about this whole process. Part of the last account update included the ability to create custom tiers, so I can create custom tiers and prices for specific use cases.

I am going to include an open-source tier. My plan as of this post is for it to contain only free tier features but have to rate limit of the lowest paid tier.

I also plan to have rate limits for every tier. If a company is using more than the enterprise plan allows, we'll work together on a plan that fits their exact use case.

I chose daily rate limits instead of hourly or smaller because aviation reports are requested over the course of an entire day and mostly called dawn to dusk. Hourly rate limits would restrict usage during the day and go unused at night.

Steps So Far

I made an update to the account portal allowing users to select the free tier as an active plan and upgrade/downgrade to it as well without losing customer info. Free tiers can generate a token.

On the API side, token validation now checks the plan associated with the token to determine fulfillment eligibility instead of merely token existance. Token-based call counting is already implemeted.

Updated 2019-09-09

All API enpoints now check for token availability for logging purposes. Checks are currently disabled for missing tokens. API endpoints now can use allowed plan types as access controls. Tokens can also be supplied as a token URL parameter but will still use the header value first if found.

Todo

Roughly in order:

  • [X] Divest the token auth check from specific intents via endpoint.example and instead use something like endpoint.allowed_plans to assign plans to API features.
  • [ ] Generate example responses for METAR, TAF, and station endpoints
  • [ ] Enforce the Authorization header for all calls
  • [ ] Determine rate limits from token call usage
  • [ ] Announce rate limits
  • [ ] Add rate limits to plan data
  • [ ] Enforce daily rate limits against token call counts