User Credentials Policy

From OpenStreetMap Wiki
Jump to navigation Jump to search
This is a draft Acceptable Use Policy, created on behalf of the Technical Working Group

There are several methods of providing credentials to the OpenStreetMap API, including HTTP Basic Auth, OAuth and web-based cookies. Some of these methods expose, or give rise to potential exposure of, user credentials to third parties. We aim to avoid this.

As such,

  • Websites MUST NOT ask for user passwords.
  • Applications SHOULD NOT ask for user passwords.

The user should, ideally, only be required to enter their password into a secured webpage on the domain, and nowhere else.

It is expected that most websites and applications will use OAuth to gain authorisation tokens to interact with the API on the users behalf.


  • Terms are defined as per 2119.
  • It is possible that, in future, OAuth may be mandated for all applications. Application authors are strongly advised to support OAuth in their applications.