What authentication methods does Joshua Project support?

Joshua Project's API primarily supports authentication using API keys. You obtain a unique key that you include in your API requests to gain access to their data.

How do I get an API key for Joshua Project?

You typically need to register an account on the Joshua Project website and then follow the instructions in their API documentation to request and receive your unique API key.

Can I use the Joshua Project API key in client-side applications?

It is not recommended to embed your API key directly into client-side code (e.g., JavaScript in a browser or mobile app) as it can be easily exposed. Instead, route requests through a secure backend server that holds your API key.

What kind of data can I access with a Joshua Project API key?

With an API key, you can access data on unreached people groups, country profiles, language data, and geographic information, among other datasets provided by Joshua Project.

Are there different types of API keys for commercial vs. non-commercial use?

Yes, Joshua Project generally offers free API access for non-commercial use with specific rate limits. Commercial use typically requires contacting them for separate licensing and potentially a different type of API key.

What should I do if my Joshua Project API key is compromised?

If your API key is compromised, you should immediately contact Joshua Project support and follow their instructions to revoke or regenerate the key to prevent unauthorized access.

Where should I store my Joshua Project API key?

API keys should be stored securely, ideally in environment variables on your server, and never hardcoded into your application's source code or committed to public version control systems.

Joshua Project Authentication: API Key Access (2026)

Authentication overview

Joshua Project provides access to its extensive database of unreached people groups, country profiles, and language data primarily through an API. Authentication for this API is managed through API keys. These keys serve as a unique identifier and credential, granting your application permission to retrieve data from the Joshua Project servers. The API is designed for read-only access to its datasets, supporting various research, academic, and humanitarian applications.

The authentication model is straightforward, focusing on ease of integration for developers who need to programmatically access demographic and social data. While the core API access is often free for non-commercial use, specific rate limits and usage policies apply. Commercial use cases typically require direct contact with Joshua Project for licensing and potentially different API key arrangements, as detailed in the Joshua Project API documentation.

Supported authentication methods

Joshua Project's API primarily supports authentication via API keys. This method involves including a unique key in your API requests, which the Joshua Project server then validates to permit access. This approach is common for APIs that offer read-only access to public or semi-public datasets where user-specific authentication (like OAuth 2.0) is not required for individual user data, but rather for application-level access.

API Key

An API key is a simple token that you include with your requests. When you make a request to a Joshua Project API endpoint, this key is passed, typically as a query parameter or a custom header, to identify and authenticate your application. The server then checks if the provided key is valid and authorized to access the requested resource. This method is suitable for server-to-server communication or client-side applications where the API key can be securely stored or managed.

When to use API Keys

Server-side applications: Ideal for backend services that fetch data from Joshua Project, where the API key can be stored securely and not exposed to end-users.
Public data access: When your application primarily needs to retrieve public or generally available data, and user-specific permissions are not a concern.
Simplicity: For quick integrations and development, as API keys are generally easier to implement than more complex authentication flows like OAuth.

The following table summarizes the key characteristics of the API key authentication method:

Method	When to Use	Security Level
API Key	Server-side applications, public data access, non-commercial use, simple integration	Moderate (requires secure key management)

Getting your credentials

To obtain an API key for the Joshua Project API, you typically need to register an account and request access. The process is outlined on the official Joshua Project website, specifically within their API help section. This usually involves:

Account Registration: If you don't already have one, create an account on the Joshua Project website. This often requires providing basic contact information.
API Key Request: Navigate to the API documentation or a dedicated developer portal section, as described in the Joshua Project API documentation. There, you will find instructions on how to request an API key. This may involve filling out a form detailing your intended use case.
Key Issuance: Once your request is reviewed and approved, Joshua Project will issue a unique API key. This key is a string of alphanumeric characters that you will use in your API calls.
Terms of Use: Before using the API key, ensure you understand and comply with the Joshua Project's terms of service and acceptable use policy, especially regarding commercial versus non-commercial use and data redistribution policies.

It is crucial to treat your API key as a sensitive credential, similar to a password. Do not embed it directly into client-side code that can be inspected by users, and avoid committing it to public version control systems.

Authenticated request example

Once you have obtained your API key, you can include it in your HTTP requests to the Joshua Project API. The exact method of inclusion (query parameter vs. header) will be specified in the Joshua Project API documentation. For demonstration purposes, let's assume the API key is passed as a query parameter named api_key.

Here's an example using curl to fetch data for a specific people group, replacing YOUR_API_KEY with your actual key and people_group_id with the relevant identifier:

curl -X GET "https://api.joshuaproject.net/v1/people_groups/people_group_id?api_key=YOUR_API_KEY"

In this example:

-X GET specifies the HTTP GET method.
"https://api.joshuaproject.net/v1/people_groups/people_group_id" is the endpoint for retrieving information about a specific people group.
?api_key=YOUR_API_KEY appends your unique API key as a query parameter.

For programmatic access in various languages, the approach is similar. For instance, in Python using the requests library:

import requests

api_key = "YOUR_API_KEY"
people_group_id = "some_id"
url = f"https://api.joshuaproject.net/v1/people_groups/{people_group_id}"

params = {
    "api_key": api_key
}

response = requests.get(url, params=params)

if response.status_code == 200:
    data = response.json()
    print(data)
else:
    print(f"Error: {response.status_code} - {response.text}")

Always refer to the official Joshua Project API documentation for the most up-to-date endpoint structures, required parameters, and specific instructions on API key usage.

Security best practices

Securing your API keys and managing access to the Joshua Project API is critical to protect your application and prevent unauthorized data access. Adhere to these best practices:

Keep API Keys Confidential: Your API key is a secret. Never hardcode it directly into client-side code (e.g., JavaScript in a web browser or mobile app) where it can be easily extracted. Instead, use a backend server to make API calls, with the key stored securely on your server.
Use Environment Variables: Store API keys in environment variables rather than directly in your code or configuration files. This prevents them from being accidentally committed to version control systems like Git. For example, in Node.js, you might use process.env.JOSHUA_PROJECT_API_KEY.
Avoid Public Repositories: Never commit API keys or configuration files containing them to public code repositories. If a key is accidentally exposed, revoke it immediately via the Joshua Project developer portal (if such functionality exists) or contact Joshua Project support.
Implement Server-Side Proxy: For client-side applications (web or mobile), route all API requests through your own backend server. Your server can then append the API key before forwarding the request to Joshua Project. This keeps the key hidden from the client.
Restrict Key Permissions (if applicable): While Joshua Project's API keys typically offer read-only access, if future iterations or custom keys allow for different permissions, always request and use the minimum necessary permissions for your application.
Monitor Usage: Regularly monitor your API usage for any unusual activity that might indicate a compromised key.
Rotate Keys Periodically: While not always explicitly required, rotating API keys periodically (e.g., every 6-12 months) can reduce the risk associated with a long-lived, potentially compromised key. Check the Joshua Project API documentation for guidance on key rotation.
Secure Production Environments: Ensure that your production servers and services where API keys are stored are properly secured according to industry best practices, including strong access controls, firewalls, and regular security audits. General API security guidelines from organizations like IETF RFC 6749 for OAuth 2.0 emphasize the importance of protecting credentials, a principle applicable to API keys as well.