Does adresse.data.gouv.fr require an API key?

No, the core geocoding, reverse geocoding, and address search services of adresse.data.gouv.fr do not require an API key or any form of authentication for public access.

How do I get credentials for adresse.data.gouv.fr?

You do not need to obtain credentials. The API is designed for public access, allowing you to use its services without registration or credential setup.

Is there a rate limit for adresse.data.gouv.fr API requests?

While the API is free and keyless, it may implement internal rate limiting based on IP addresses to ensure fair usage. Specific limits are not always published, so responsible usage and client-side rate limiting are recommended.

How can I secure my application when using a keyless API?

Focus on client-side security, input validation, output sanitization, implementing your own rate limiting, using HTTPS, and robust error handling to protect your application and ensure responsible API consumption.

Can I use adresse.data.gouv.fr from a client-side application?

Yes, you can use the API directly from client-side applications. However, ensure your client-side implementation follows security best practices, such as using HTTPS and validating user inputs.

Are there any specific headers required for requests?

No authentication-specific headers are required. Standard HTTP headers (e.g., Accept, User-Agent) may be used, but none are mandatory for authentication with the public endpoints.

adresse.data.gouv.fr Authentication: Methods & Security (2026)

Authentication overview

The adresse.data.gouv.fr API is designed for public access to French address data, providing services such as geocoding, reverse geocoding, and address search. A notable characteristic of this API is its keyless access model for its primary endpoints. This means that developers can begin using the core functionalities of the API without the need to register for an API key or manage credentials, streamlining the initial integration process for a wide range of applications, particularly those within the public sector in France.

While the absence of an API key simplifies access, it shifts the focus of security to other areas, such as ensuring the integrity of data consumed and protecting client-side applications from potential misuse. The API's design prioritizes accessibility and ease of use for its specific domain of French address data, making it a resource for developers and organizations working with geographical information in France.

For detailed information on API usage and specific endpoint behavior, refer to the official adresse.data.gouv.fr API documentation.

Supported authentication methods

The adresse.data.gouv.fr API primarily supports a keyless authentication model for its core geocoding and address search services. This approach is uncommon among many commercial APIs, which typically rely on API keys or OAuth 2.0 for access control. The rationale behind the keyless model for adresse.data.gouv.fr is to facilitate broad public access to essential French address data, aligning with its mission as a public service. Consequently, there are no traditional authentication methods like API keys, OAuth tokens, or JWTs required for standard requests.

The table below summarizes the authentication approaches:

Method	When to use	Security Level
No API Key (Keyless Access)	For all public-facing geocoding, reverse geocoding, and address search requests.	Public access, relies on client-side security and responsible usage.

This keyless model simplifies integration significantly, as developers do not need to manage or transmit sensitive credentials with their requests. However, it also implies that any rate limiting or usage monitoring is managed by IP address or other network-level mechanisms rather than individual API keys. Developers should consult the official API documentation for any updates or specific guidelines on usage policies.

Getting your credentials

For the core geocoding, reverse geocoding, and address search functionalities provided by adresse.data.gouv.fr, no specific credentials are required. The API operates on a public access model, meaning you can begin sending requests to the endpoints immediately without signing up for an account, generating an API key, or performing any credential setup. This design choice aims to maximize accessibility and ease of use for public data. The API documentation confirms this approach, stating that no API key is necessary for its primary services.

This streamlined access means there are no steps for credential generation, management, or rotation. Developers can focus directly on integrating the API into their applications. While this simplifies the process, it's important to understand the implications for security and responsible usage, as discussed in the security best practices section.

Authenticated request example

Since the adresse.data.gouv.fr API does not require an API key or other authentication tokens for its public endpoints, an "authenticated" request is simply a standard HTTP request to the API endpoint. The following example demonstrates a basic geocoding request using curl to search for an address in France. This example does not include any authorization headers or query parameters for authentication because they are not needed.

Example: Geocoding an address

This curl command searches for the address "8 rue du Faubourg Saint-Honoré, Paris" using the /search endpoint:

curl "https://api-adresse.data.gouv.fr/search/?q=8%20rue%20du%20Faubourg%20Saint-Honor%C3%A9,%20Paris"

The response will be a JSON object containing address suggestions and their geographical coordinates. For example, a successful response might include details such as:

{
  "type": "FeatureCollection",
  "features": [
    {
      "type": "Feature",
      "geometry": {
        "type": "Point",
        "coordinates": [
          2.316823,
          48.870932
        ]
      },
      "properties": {
        "label": "8 Rue du Faubourg Saint-Honoré 75008 Paris",
        "score": 0.99,
        "housenumber": "8",
        "id": "75108_3593_00008",
        "name": "8 Rue du Faubourg Saint-Honoré",
        "postcode": "75008",
        "citycode": "75108",
        "x": 651634.66,
        "y": 6862590.23,
        "city": "Paris",
        "district": "Paris 8e Arrondissement",
        "context": "75, Paris, Île-de-France",
        "importance": 0.654321,
        "street": "Rue du Faubourg Saint-Honoré"
      }
    }
  ],
  "attribution": "BAN",
  "licence": "ETALAB-2.0"
}

This example demonstrates the simplicity of making requests to the adresse.data.gouv.fr API due to its keyless model. For more detailed examples and available parameters, refer to the adresse.data.gouv.fr API documentation.

Security best practices

Although adresse.data.gouv.fr operates on a keyless authentication model for its core services, implementing security best practices remains crucial for applications that consume this API. The absence of traditional authentication shifts the security focus from credential management to client-side protection, responsible usage, and data integrity. Below are key recommendations:

Validate and Sanitize Inputs: Always validate and sanitize any user-provided input before passing it to the API. This practice helps prevent common web vulnerabilities like injection attacks, even when dealing with a public API. Ensure that address queries conform to expected formats to prevent malformed requests that could lead to unexpected behavior or errors. The Mozilla Developer Network provides guidance on injection attacks.
Implement Rate Limiting on Your End: While adresse.data.gouv.fr may have its own internal rate limiting, it is a best practice to implement rate limiting within your application. This protects your application from excessive API calls, whether accidental or malicious, and helps ensure fair usage of the public resource. Excessive requests can lead to temporary IP blocks or degraded service quality.
Secure Client-Side Implementations: If you are calling the API directly from a client-side application (e.g., a web browser), ensure that your application's security measures are robust. This includes using HTTPS for all communication to protect data in transit, even for public data. Avoid exposing sensitive internal logic or data that could be exploited by an attacker observing network traffic.
Error Handling and Logging: Implement comprehensive error handling and logging for API requests. This allows you to monitor for unusual activity, diagnose issues, and respond quickly to potential misuse or service interruptions. Understand the API's error codes and design your application to gracefully handle various failure scenarios.
Monitor Usage Patterns: Regularly monitor how your application uses the adresse.data.gouv.fr API. Look for spikes in requests, unusual query patterns, or unexpected responses. Proactive monitoring can help identify potential security incidents or inefficient usage that could impact your application or the API service.
Keep Dependencies Updated: Ensure that all libraries, frameworks, and other dependencies used in your application are kept up to date. Outdated software can contain known vulnerabilities that attackers might exploit to compromise your application, even if the API itself is publicly accessible.
Understand Data Privacy: While the API provides public address data, understand any privacy implications for how your application processes and stores this data, especially when combined with other user-specific information. Adhere to relevant data protection regulations applicable in your jurisdiction.

By adhering to these best practices, developers can ensure the secure and responsible integration of the adresse.data.gouv.fr API into their applications, maintaining the integrity of their systems and contributing to the stability of the public service.