OAuth 2.0 (opens in a new tab) is the primary method for users to access the Xweather Weather API in order to track usage and keep users' data secure. Since the Xweather Weather API does not provide access to private user account data and information, all general requests to the weather API only require userless access in which you pass your unique API access ID and secret key with every request.
Each third-party application must register itself in order to obtain the proper API credentials. Additionally, each credential is tied to a unique application identifier for the user's application, which for the web is simply the domain that API requests will be made from, such as
https://somedomain.com. For iOS applications, this identifier will be the full bundle identifier for their application, e.g.
com.somedomain.SomeAppName. Every weather API request will include these identifiers that the API will validate before returning a response.
For example, every request you make to the API must include at least your assigned client ID and secret key for the application:
You can still include your custom options with the request:
When you register a new application to use your weather API account, you will be required to provide the namespace under which the secret key you are creating will be used. This will restrict all requests using that client ID and secret key combination to the namespace you provided within your account area.
For web requests, the namespace should be the top-level domain (TLD) from which the requests will be made, such as
*.mydomain.com. Note that if you provide a subdomain, such as
sub.mydomain.com, all requests will be restricted to that specific subdomain instead of the top-level domain. However for mobile applications, specifically iOS and Android, your namespace should be the bundle identifier for your application that conforms to the Reverse DNS naming convention (e.g.,
When secure connections to the weather API are required, the HTTPS protocol can be utilized with the API, by querying with “https” in place of “http”. For example: