IP based rate limit & cryptographic key

Question

IP based rate limit & cryptographic key

DenisCarriere opened this issue 10 years ago · 1 comments

This is simply just a question, do you intend on simply having your OpenCage geocoder API available without using a Key, many providers like Nominatim & Google simply use a Rate limit of 2500 based on your IP address.

Someone could simply sign up 10 keys with different emails addresses and use your service 25,000/day, being IP based would make it more difficult for someone to do this.

Obviously the "Paid" membership is good to have a key, however, if it's simply a URL parameter then someone could easily steal someone's key.

The most secure way I've seen it done is how Google is doing it with a Cryptographic key using a Client ID and a Signature Key, you encode your query using Base 64 with the secret key and on the server side it decodes it with your "secret key". That way the your key is never getting shown as a URL parameter.

https://developers.google.com/maps/documentation/business/webservices/#cryptographic_signing_key

If you ever go towards that direction, let me know and I can update my Python Geocoder to suit that requirement.

Answer 1 · 2015-01-03T20:57:05.000Z

Hi Denis,
thanks for the question. The short answer is, we're working on it. IP restriction isn't great if someone writes and app that is then used by thousands of people, each with a different IP address.

Don't worry, when we introduce any new system there will be plenty of notice.