What authentication methods does the National Park Service API support?

The National Park Service API primarily supports API key authentication. You obtain a unique key from their developer portal and include it in your API requests as a query parameter.

How do I get an API key for the NPS API?

You can get an API key by visiting the official NPS Developer Portal, registering for an account, and then following the instructions to generate your key. Make sure to store it securely after generation.

Is the NPS API key secure enough for sensitive data?

The NPS API primarily provides access to public data. While API keys are suitable for this purpose, they should be handled securely. For applications dealing with sensitive user-specific data, more robust methods like OAuth 2.0 are typically used, but the NPS API does not currently require or support these for its public endpoints.

Can I use the same API key for multiple projects?

Yes, you can generally use the same API key for multiple projects, but it's often recommended to generate separate keys for different applications or environments (e.g., development, staging, production) for better management and security isolation. Check the NPS developer portal for specific guidance.

What happens if my NPS API key is compromised?

If your API key is compromised, unauthorized individuals could make requests using your key. You should immediately log into the NPS Developer Portal and regenerate your API key. This will invalidate the old key and prevent further unauthorized use.

Do I need to use HTTPS with the NPS API?

Yes, all requests to the NPS API should be made over HTTPS. This encrypts your API key and other data in transit, protecting them from interception. The NPS API enforces HTTPS for all its endpoints.

National Park Service, US Authentication Guide (2026)

Authentication overview

The National Park Service (NPS) API provides programmatic access to a wide range of public data related to U.S. national parks, including visitor centers, events, news releases, and alerts. To ensure responsible usage and prevent abuse, all requests to the NPS API require authentication. The primary method for authenticating with the NPS API is through the use of an API key, which serves as a unique identifier for your application and helps the service track usage and enforce rate limits.

This authentication model is designed for simplicity and ease of integration, making it accessible for developers building travel applications, educational tools, or research projects. The API key acts as a token that you include with each request to verify your identity. This approach is common for public APIs where the data being accessed is not sensitive user-specific information but rather publicly available content that benefits from controlled distribution.

Understanding the authentication process is crucial for successful integration. The NPS API documentation provides comprehensive details on obtaining and utilizing your API key for various endpoints. By correctly authenticating your requests, you contribute to the stability and reliability of the service for all users, aligning with the National Park Service's mission to share information effectively.

Supported authentication methods

The National Park Service API primarily supports API key authentication. This method involves generating a unique string of characters—your API key—which you then include in your API requests. The API key identifies your application to the NPS servers, granting you access to the available data. This is a standard practice for many public-facing APIs, offering a balance between security and ease of implementation for developers.

API keys are typically passed as a query parameter in the request URL. While straightforward, it is important to handle these keys securely to prevent unauthorized use. The NPS API does not currently support more complex authentication flows like OAuth 2.0 or mutual TLS for its public data endpoints, as these are generally reserved for APIs dealing with private user data or requiring more granular permissions. For a detailed explanation of API key usage, consult the official NPS API documentation.

Authentication methods summary

Method	When to Use	Security Level
API Key	Accessing public NPS data; most common use case for developers.	Moderate (requires secure handling of the key).

Getting your credentials

Obtaining an API key for the National Park Service API is a straightforward process, designed to allow developers to quickly begin integrating park data into their applications. The process typically involves registering on the NPS developer portal.

Visit the NPS Developer Portal: Navigate to the official NPS Developer homepage. This portal is the central hub for all developer-related resources, including documentation and API key registration.
Register for an Account: If you don't already have one, you will need to create a developer account. This usually involves providing an email address, creating a password, and agreeing to the terms of service.
Request an API Key: Once registered and logged in, look for a section or link titled something like "Get Your API Key" or "Generate Key." Follow the prompts to create a new API key for your application. You may be asked to provide a brief description of your project or intended use case.
Record Your Key: After generation, your API key will be displayed. It is crucial to copy and securely store this key immediately. The key is a long string of alphanumeric characters. For security reasons, it may not be displayed again after the initial generation, or it might be masked.

The NPS API keys are typically associated with your developer account, allowing you to manage them, regenerate them if compromised, or create multiple keys for different projects if needed. Always refer to the most current NPS API documentation for the precise steps, as the user interface and process may be updated over time.

Authenticated request example

Once you have obtained your API key, you can include it in your requests to the National Park Service API. The key is typically passed as a query parameter named api_key in the URL. Below is an example of an authenticated request using a placeholder API key.

Example using cURL

This cURL command demonstrates how to fetch a list of parks, including your API key in the request URL:


curl "https://developer.nps.gov/api/v1/parks?stateCode=CA&api_key=YOUR_API_KEY"

Replace YOUR_API_KEY with the actual API key you obtained from the NPS developer portal. The stateCode=CA parameter is an example filter to retrieve parks specifically within California.

Example using Python (requests library)

Here's how you might make an authenticated request using Python's popular requests library:


import requests

api_key = "YOUR_API_KEY"  # Replace with your actual API key
base_url = "https://developer.nps.gov/api/v1/parks"

params = {
    "stateCode": "CA",
    "api_key": api_key
}

try:
    response = requests.get(base_url, params=params)
    response.raise_for_status()  # Raise an exception for HTTP errors (4xx or 5xx)
    data = response.json()
    print(data)
except requests.exceptions.HTTPError as http_err:
    print(f"HTTP error occurred: {http_err}")
except Exception as err:
    print(f"An error occurred: {err}")

This Python script constructs the URL with the API key as a query parameter and then executes a GET request. The response, if successful, will be parsed as JSON and printed to the console.

Example using JavaScript (Fetch API)

For a client-side or Node.js application, you can use the Fetch API:


const apiKey = "YOUR_API_KEY"; // Replace with your actual API key
const baseUrl = "https://developer.nps.gov/api/v1/parks";
const stateCode = "CA";

fetch(`${baseUrl}?stateCode=${stateCode}&api_key=${apiKey}`)
  .then(response => {
    if (!response.ok) {
      throw new Error(`HTTP error! status: ${response.status}`);
    }
    return response.json();
  })
  .then(data => {
    console.log(data);
  })
  .catch(error => {
    console.error("Error fetching parks data:", error);
  });

This JavaScript example uses template literals to construct the request URL, including the API key, and then processes the JSON response.

Security best practices

While API key authentication is straightforward, it is essential to implement security best practices to protect your credentials and ensure the integrity of your application and the NPS API. Mismanaged API keys can lead to unauthorized access, exceeding rate limits, or even incurring costs if the API were to become commercial in the future.

Keep your API key confidential: Treat your API key like a password. Do not embed it directly in client-side code that could be publicly exposed (e.g., JavaScript in a web browser). For web applications, make API calls from your backend server, where the API key can be securely stored.
Do not hardcode API keys in repositories: Avoid committing your API key directly into source code repositories, especially public ones. Use environment variables, configuration files, or secret management services (e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault) to store and retrieve your keys securely. For example, Google Cloud's API Key best practices recommend restricting API keys and using environment variables.
Restrict API key usage: If the NPS developer portal offers options to restrict API keys by IP address or HTTP referrer, utilize these features. This ensures that even if your key is compromised, it can only be used from authorized locations or domains.
Use HTTPS for all requests: Always make API requests over HTTPS (HTTP Secure). This encrypts the communication between your application and the NPS API, preventing your API key from being intercepted by malicious actors during transit. The NPS API itself enforces HTTPS.
Rotate API keys periodically: Regularly regenerate your API keys, especially if you suspect a compromise or as part of a routine security practice. The NPS developer portal should provide functionality to regenerate keys, invalidating the old ones.
Monitor API usage: Keep an eye on your API usage statistics, if provided by the NPS developer portal. Unusual spikes in usage could indicate that your API key has been compromised.
Handle errors gracefully: Implement robust error handling in your application. If an API call fails due to an authentication error, log the incident (without exposing the key) and notify administrators.

Adhering to these best practices helps maintain the security of your application and ensures a positive and reliable experience with the National Park Service API.