User Credentials Policy
- This is a draft Acceptable Use Policy, created on behalf of the Technical Working Group
There are several methods of providing credentials to the OpenStreetMap API, including HTTP Basic Auth, OAuth and web-based cookies. Some of these methods expose, or give rise to potential exposure of, user credentials to third parties. We aim to avoid this.
- Websites MUST NOT ask for user passwords.
- Applications SHOULD NOT ask for user passwords.
The user should, ideally, only be required to enter their password into a secured webpage on the www.openstreetmap.org domain, and nowhere else.
It is expected that most websites and applications will use OAuth to gain authorisation tokens to interact with the API on the users behalf.