Build a free API without api_key


Hi all

I’ve a lot of API used to distribute data by GET request; I’d like to create a free GET API without api_key. Is there a way?
I tried using “Guest Access” but It provide an access to specific API services without requiring authentication (token) but requiring “api_key”. Is there a way to release a free API?

Thank you.


Hi @vlauciani,

While you do not need to always supply a JWT or Session Token with any API requests, you must supply an API Key with every call. As you have seen the “Guest Access” page already, I wanted to just follow that up with this snippet:

Applications can be given “guest” access by assigning a default role to an application, detailing what resources should be accessible without user authentication. This is useful, if your application has an open “website” or kiosk mode.

This would enable you to basically open the endpoints you wanted, while maintaining the architectural restriction of always passing an API key. This restriction is purposeful to allow you, as the administrator, to have full control of the access of the data. If you set up Guest Access and just put the API key in a config file or .env file and then called it as needed in your app, akin to something like this in a React app I am building:


If that app had no restrictions on it, I can make that GET call from anywhere, as long as the role assigned to that API key allows for unlimited traffic.

That is as close as DF comes to having a “wide open” data source.


Thank you for your answer.

I understand your point of view, but with this approach each public user that use my public API should have an “api_key”!!!
My API returns, for example, a JSON with temperature for each place; this API is public and everyone can retrieve data. I’ve more than 2000 requests per day by more or less 200 single users; should I produce 200 “api_key” for each user? Every new user should request me a new “api_key”?

The idea is to open to the public access (without “token” and/or “api_key”) a few set of API with only limit access.



That is why you set the API key as a server system variable. No one can access it you do that as you would call it as a variable in any outward facing application.

You would only create 1 key that would serve as the access point for the data containing the information you wish to expose. I am guessing right now you have an application, that people can interact with, and when they hit submit, it returns the JSON data, similar to this from Open Weather:


The API key (which I have obfuscated here) could have a role assigned to it to only access the GET verb. You could use multiple keys if you wanted to try and track which endpoints had been hit and by whom, but for simplicity’s sake, you can just create one, set it as a server side variable, call it in your application when someone makes a request for the data and you would be all set.



If I understand correctly, the idea is to create the “Server_A” front-end where user send GET request (for example: http://server_a/api/v2/weather?zip=94040), then “Server_A” adds params “api_key=<api_for_get>” to the request and forward it to “Server_B” where Dreamfactory is installed. “Server_B” validate the “api_key” and return the “service”.

Is it correct?