The ekko Climate API is served over HTTPS and follows standard REST conventions. Requests use resource-oriented URLs, accept JSON-encoded bodies, return JSON responses and follow conventional HTTP verbs and status codes.

Authentication

All requests require an API key, which you generate in ekko Hub. Pass the key in the Authorization header as a Bearer token on every call:

Authorization: Bearer ek_live_your_api_key

Your API key is validated on each request to ensure only authorised access.

API keys use the prefix ek_live_ followed by a base62-encoded string. ekko stores only a SHA-256 hash of the key, so the full key is shown only once when you generate it. Copy and store it securely at that point.

Store your API keys in environment variables or a secrets manager. Don’t expose them in client-side code or public repositories. You can rotate keys at any time in ekko Hub.

Key rotation

When you rotate a key in ekko Hub, the previous key remains valid for a grace period (12, 24, 36 or 72 hours) so you can update your systems without downtime. After the grace period, the old key expires automatically.

❗️

Protect your API key

Do not commit API keys to version control or include them in client-side code. If a key is compromised, rotate it immediately in ekko Hub.

IP allowlisting

For additional security, you can restrict access to ekko Climate API endpoints by IP address.

1. Log in to ekko Hub
2. Go to Console then IP allowlisting
3. Add one or more IP addresses, ranges or CIDR blocks
4. Enable allowlisting using the toggle at the top

Once enabled, only requests from approved IPs are accepted.

For more detail, see the ekko Hub overview.