Documentation — integrating with Alibrio Weather

This page is written for consumers of the service—teams embedding our schematic weather graphics in your own products, dashboards, or sites using your data and our HTTP APIs. Responses are HTML (pages or fragments) keyed by a standard WMO weather code. Use your account, API keys, and signed embed URLs as described below. Machine-readable duplicate of the consumer topics: GET /api/docs/developer-integration — JSON response with English markdown (consumer integration topics).

Trying the demo

On the demo page, choose a city in the list to see a live forecast card with the same graphic style used across the app. Data comes from Open-Meteo for those fixed locations only.

Account settings

When sign-in is enabled on this deployment, use Login and open Settings to manage your profile and API tokens.

Service status

GET /health and GET /api/health — JSON health check (no login).

API key

How to obtain a key

Through this app: sign in → accept terms → open Settings and create an API key (plaintext shown once).
Automation: while signed in with the same session as the web app, call POST /api/api-keys with {"name":"…"} — the response includes the secret once; GET /api/api-keys lists metadata only; DELETE /api/api-keys/{id} revokes a key.
Enterprise or custom hosting: your onboarding may include a server-issued credential (Bearer token) from Alibrio support—use it like any other API key unless your contract says otherwise.

What the key is for

Authorization: Bearer <key> (or a signed-in browser session) on POST /api/weather-graphics/signed-url to mint temporary embed URLs. Keys from the app usually include scope weather_graphics:sign.

GET /api/weather/demo/… needs no API key.

Endpoints

Method	Path	Role
POST	`/api/weather-graphics/signed-url`	JSON: mint a short-lived `signed_url` for public iframes.
GET	`/api/weather-graphics/render?t=…`	HTML: load graphic from token (no Bearer).
GET	`/api/weather/demo/{id}`	HTML fragment — demo cities `1`–`3` only (no key).
GET	`/api/api-keys`	List your API keys (metadata only; never returns full secrets).
POST	`/api/api-keys`	Create a key with JSON `{"name":"…"}`; response includes plaintext `key` once.
DELETE	`/api/api-keys/{id}`	Revoke the key with UUID `{id}` (authenticated).
GET	`/health`, `/api/health`	JSON health (no auth).
GET	`/api/docs/developer-integration`	Integration guide as JSON (`markdown`): embeds, keys, limits. No auth.

How to use

Browser iframe without leaking the key: your backend calls POST /api/weather-graphics/signed-url, returns the JSON to the page, and the browser sets iframe.src to signed_url.
Signing must be enabled on the deployment you call; if minting is unavailable, the POST returns service unavailable — contact whoever runs your Alibrio Weather environment. The host embedded in signed_url matches that deployment’s public base URL.
Avoid mint rate limits: on your backend, cache each successful mint response (signed_url, expires_at, ttl_seconds) and reuse it for the same embed until shortly before expires_at (leave a small safety margin), then mint again. Calling mint on every browser hit can exceed the default 10 mints / minute per user or API key (see Fair-use limits).

Important: signed URLs are temporary

Signed URLs are intentionally short-lived. Do not store them in HTML, CMS fields, databases, or static pages as permanent embed URLs. They are like an S3 pre-signed URL or time-bound token — not a permanent widget link.

Generate a signed URL shortly before it is shown to the end user. If the page can stay open longer than the token lifetime, your app must refresh the iframe by requesting a new signed URL from your backend.

Backend caching (recommended): your server should not call mint on every page load. Keep the latest mint JSON in memory or a short-lived server cache keyed by embed identity, serve the same signed_url to clients until shortly before expires_at, then mint once more. That stays within the spirit of “temporary” URLs (they still expire) and avoids hitting per-minute mint caps.

Mint response includes:

{
  "signed_url": "https://your.host/api/weather-graphics/render?t=…",
  "expires_at": "2026-05-09T12:34:56Z",
  "ttl_seconds": 900
}

expires_at is RFC 3339 / ISO-8601 UTC. ttl_seconds is the lifetime actually applied after the server clamps your request (often 300–900 seconds — your provider may use a different range). For long-lived pages, refresh the URL before expires_at, and again after a failed iframe load.

Recommended pattern

Browser requests your backend (e.g. GET /weather-card-url).
Your backend authenticates to Alibrio Weather and calls POST /api/weather-graphics/signed-url.
Backend returns signed_url, expires_at, ttl_seconds to the browser.
Browser sets the iframe src to signed_url.
Before expiry or after an error, obtain a new signed URL and reload the iframe.

Never embed a signed URL directly into a static page as a long-term src.

Example refresh helper (browser) — your backend must proxy the mint call:

async function refreshWeatherIframe() {
  const res = await fetch("/my-backend/weather-card-url");
  const { signed_url, expires_at } = await res.json();
  document.querySelector("#weather-frame").src = signed_url;
}

`POST /api/weather-graphics/signed-url`

Auth: signed-in session (terms accepted), or Authorization: Bearer with an API key from Settings / POST /api/api-keys, or a server credential issued by your provider. User keys typically include scope weather_graphics:sign. Rate limits apply for signing and rendering separately.

JSON body (application/json):

kind — "visual" or "card"
code — WMO weather code (integer)
night — optional boolean (default false)
theme — optional (alibrio default; shore_lithograph / sea_lithograph; unknown → default)
For card only: optional city, temperature, description
ttl_seconds — optional; the service clamps this to the bounds configured for your deployment (often 300–900 seconds).

`GET /api/weather-graphics/render?t=…`

No Bearer. Parameter t is the signed token; response is the graphic HTML encoded in the token (visual or card kind from minting).

Example (curl)

curl -sS -X POST \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"kind":"card","code":61,"night":false,"city":"Prague","temperature":"12 °C","description":"Rain","ttl_seconds":900}' \
  "http://127.0.0.1:8080/api/weather-graphics/signed-url"

Fair-use limits

Figures below are typical defaults you may see on a standard deployment. Your subscription, trial, or private environment can differ — check your agreement or ask support. Short-lived counters are tracked inside each running instance and may reset after maintenance or scaling.

Account

At most three active API keys per signed-in account (when the app stores keys for you).
At most 10 distinct embed configurations per user when minting signed URLs (session or personal API key): combinations of graphic kind, WMO code, night flag, theme, and optional card labels. Further new combinations return 403 (too_many_embed_configs). Re-minting an existing combination still succeeds.
Minting with a deployment-wide server credential may follow different embed-configuration rules — confirm with your provider.

POST /api/weather-graphics/signed-url — sliding window ≈ one minute per client bucket:

10 mints / minute / signed-in user (session)
10 mints / minute / user API key
10 mints / minute for integrations sharing one deployment-wide server credential (shared bucket for that identity)
30 mints / minute / caller IP
ttl_seconds clamp: commonly min 300 s, max 900 s (your deployment may vary).
When exceeded → 429 JSON rate_limited (mint endpoint).

Integrators: cache mint responses on your backend (keyed by logical embed) and reuse signed_url until shortly before expires_at. Calling mint on every client request makes it easy to exceed 10 mints/minute per user or API key.

GET /api/weather-graphics/render?t=…

Invalid or expired token → 401.
10 requests / minute / IP; 20 requests / minute / token (t=).
Concurrent HTML generation: at most 20 globally and 5 per IP; when saturated → 503.
Successful responses include Cache-Control with max-age capped by remaining token lifetime and server render-cache TTL (default render cache 600 s).
Rate exceeded → 429 (empty body on this GET route).

GET /api/weather/demo/{id} — Open-Meteo-backed fragments are cached per demo slot; default cache TTL is often about 15 minutes (your hosting may tune this).

API keys (JSON)

With OAuth + database: at most three active keys per user. Settings is the UI equivalent (HTML forms); these endpoints are for automation.

REST routes (authenticated session or equivalent — same as signed-in app):

Method	Path	Purpose
GET	`/api/api-keys`	List your keys: ids, names, prefixes, validity — no plaintext secrets.
POST	`/api/api-keys`	Create: JSON body `{"name":"…"}`; response includes plaintext `key` once.
DELETE	`/api/api-keys/{id}`	Revoke the key identified by UUID `{id}`.

`GET /api/weather/demo/{id}`

HTML fragment; fixed cities only: 1 Prague, 2 New York, 3 Singapore.

The service may call Open-Meteo for current conditions; responses are cached per slot (often about 15 minutes). Unknown {id} → 404.

curl -sS "http://127.0.0.1:8080/api/weather/demo/1"

Health & meta

GET /health and GET /api/health — JSON health (no auth).
GET /api/docs/developer-integration — JSON integration guide (markdown). No auth.