What is the correct Authorization header format for the Homedata API?

Use Authorization: Api-Key YOUR_API_KEY. The Api-Key prefix is required — Bearer is not accepted.

Can I pass the API key as a query parameter instead of a header?

Yes, for testing you can pass ?api_key=YOUR_KEY as a query parameter. However, for production use the Authorization header — query parameters may appear in server logs and browser history.

Which endpoints work without an API key?

Address search (GET /api/address/find/) and postcode lookup (GET /api/address/postcode/{postcode}/) are open. The /ping and /health endpoints also require no authentication.

How do I revoke a compromised API key?

Log in to your Homedata account, go to Developer → API Keys, and click Revoke. A new key can be generated instantly.

Authentication

All authenticated endpoints use API key authentication via the Authorization header.

Passing your API key

Include your API key in the Authorization header with the Api-Key prefix:

HTTP Header

Authorization: Api-Key your_api_key_here

cURL example

curl https://neo.homedata.co.uk/api/properties/100023336956/ \
  -H "Authorization: Api-Key your_api_key_here"

⚠️ Important

• Use Api-Key prefix — not Bearer
• Some endpoints (like Address Search) work without authentication
• API keys are tied to your organisation, not individual users

Alternative: query parameter

For testing or environments where custom headers are difficult, you can pass your key as a query parameter:

https://neo.homedata.co.uk/api/properties/100023336956/?api_key=your_api_key_here

⚠️ Query parameter auth is not recommended for production — keys may appear in server logs and browser history. Use the header method in production code.

Open endpoints (no auth required)

Some endpoints are publicly accessible without an API key. These are ideal for testing your integration:

Endpoint	Description
GET /api/address/find/?q={query}	Address search (typeahead autocomplete)
GET /api/address/postcode/{postcode}/	All addresses at a postcode
GET /ping	Simple health check (returns "pong")
GET /health	Detailed health with DB + ES status

Rate limit response headers

Every authenticated response includes these headers:

Header	Example	Description
X-RateLimit-Limit	2000	Monthly allowance
X-RateLimit-Remaining	1847	Requests remaining this period
X-RateLimit-Reset	1711929600	Unix timestamp when limit resets

Security best practices

Store keys in environment variables

Never hardcode API keys. Use .env files or your platform's secret management.

Use server-side calls only

Don't expose your API key in browser JavaScript, mobile apps, or public repositories.

Revoke compromised keys immediately

Use the Developer Dashboard to revoke a key if it's exposed. You can generate a new one instantly.

Add .env to your .gitignore

Prevent accidental commits of your API key to version control.

← Getting Started API Reference →

Integrate into your own product

Free to start

Homedata API Scientific, granular measurements

Every authenticated Homedata API call is validated in under 5ms — rate-limit headers are returned on every response so your application can track usage without polling the dashboard.

Structured as JSON · queryable by UPRN or postcode · ready to embed in any application

Exact measurements

Real values — distances, concentrations, counts — not rounded ratings

29M+ UK properties

Every address queryable by UPRN or postcode

REST API

JSON responses, OpenAPI docs, sandbox — first call in under 5 minutes

Get your free API key View pricing Try a live API call →

Free tier: 100 API calls/month across all endpoints, no credit card required. Paid plans from £29/month for production use. Compare plans →

Sources

[1] Open Government Licence v3