Authentication

All Geo-Engine API requests are authenticated using API keys.

API Key Authentication

Getting Your API Key

1. Contact your Quarticle account manager, or log in to your Geo-Engine Dashboard
2. Go to Settings → API Keys
3. Click Generate New Key
4. Copy your key immediately (you won't be able to see it again)

Using Your API Key

Include your API key in the Authorization header of every request:

API key must stay on the server

Your API key is a server-side secret. Never use it in client-side (browser) JavaScript, mobile app bundles, or any code that is shipped to end users. Anyone who can view your page source or intercept network traffic will be able to steal it.

If your web application needs to call Qarta from the browser (e.g., to load WMS tiles in Leaflet), route those requests through a backend proxy that attaches the API key server-side:

• GeoServer Proxy (Python) — for WMS/WFS tile and feature requests
• Full API Proxy (Python) — for all other Qarta API endpoints

No Bearer prefix

Send the API key value directly in the Authorization header. Do not add a Bearer prefix or any other formatting.

Authorization: YOUR_API_KEY

cURL

curl -X GET "https://graph.quarticle.ro/graph/api/v1/places/geocode?q=Berlin" \
  -H "Authorization: YOUR_API_KEY"

JavaScript

const response = await fetch(
  'https://graph.quarticle.ro/graph/api/v1/places/geocode?q=Berlin',
  {
    headers: {
      'Authorization': 'YOUR_API_KEY'
    }
  }
);

Python

import requests

response = requests.get(
    'https://graph.quarticle.ro/graph/api/v1/places/geocode',
    params={'q': 'Berlin'},
    headers={'Authorization': 'YOUR_API_KEY'}
)

Security Best Practices

• Backend only - Never include your API key in client-side JavaScript, mobile app bundles, or HTML. Always call the API from your server
• Never commit API keys - Store them in environment variables
• Rotate regularly - Generate new keys periodically
• Use scoped keys - Restrict key permissions to specific products/operations
• Monitor usage - Check your dashboard for unusual activity

Key Rotation

API keys should be rotated periodically for security.

Rotating Keys

1. Generate a new key (keep both active during transition)
2. Update your application to use the new key
3. Test thoroughly
4. Revoke the old key

Checking Authentication Headers

All requests must include proper authentication. Missing or invalid authentication will return a 401 Unauthorized response.

Token Expiration

• API Keys - No expiration (until revoked)

Environment Variables

Store your credentials securely using environment variables:

# .env file (never commit this!)
QARTA_API_KEY=your_api_key_here

Access in your code:

JavaScript

const apiKey = process.env.QARTA_API_KEY;

Python

import os
api_key = os.getenv('QARTA_API_KEY')