Defines the conditions for programmatic access to the D4Science infrastructure, including OIDC-based authentication, VRE-scoped authorization, fair use limits, secure development practices, and API lifecycle management.
1. Purpose and Scope
The D4Science infrastructure provides a comprehensive set of APIs and developer resources that enable programmatic access to services, data, and research artefacts.
These capabilities are essential to support automation of scientific workflows, integration with external systems, development of applications by research communities, and reproducibility of scientific processes.
This policy defines the conditions under which APIs and developer resources may be used, ensuring that programmatic access remains secure, reliable, and aligned with the operational principles of the infrastructure.
This policy applies to all users, developers, and systems accessing D4Science services through APIs.
2. Relationship with the Policy Framework
This policy forms part of the D4Science Policy Framework and should be read together with the other policies governing the infrastructure.
All API usage is subject to the same governance principles that apply to interactive access to services, including access control, security, privacy, and responsible use of shared resources.
3. API Access Model
D4Science APIs are designed to provide secure and controlled access to infrastructure services.
Access is based on OpenID Connect (OIDC) authentication, issuance of secure access tokens, and enforcement of authorization within a Virtual Research Environment (VRE) security context.
Each API request must be associated with a valid token representing an authenticated user and must operate within the scope of one or more VREs to which the user belongs.
This model ensures that programmatic access respects the same authorization rules that govern user interaction with the infrastructure.
4. Authentication and Authorization
To use D4Science APIs, client applications must be registered and configured to interact with the infrastructure’s Identity and Access Management (IAM) system.
Authentication is performed through OIDC, after which the client receives an access token used to authorize API calls and, where applicable, an ID token containing identity information.
Authorization decisions are based on user identity, VRE membership, and the roles and permissions associated with the user.
Tokens must be securely managed and must not be shared with unauthorized parties.
5. VRE Security Context
All API operations are executed within the context of a Virtual Research Environment.
This design ensures that access to data and services is restricted to authorized communities, that resources remain isolated between VREs, and that collaboration occurs within clearly defined security boundaries.
API clients must therefore operate within the appropriate VRE context when accessing services.
6. Developer Integration and Documentation
D4Science provides documentation and technical guidance to support developers in integrating their applications with the infrastructure.
This includes API specifications, authentication workflows, and integration examples.
The official source for developer documentation is: https://dev.d4science.org
Developers are encouraged to consult this documentation regularly, as it may evolve to reflect changes in services and APIs.
7. Acceptable Use of APIs
APIs must be used in a manner consistent with the mission of the D4Science infrastructure.
Acceptable uses include integration of research applications, automation of scientific workflows, and development of tools supporting research communities.
API usage must comply with all applicable rules defined in the D4Science Policy Framework.
8. Usage Limits and Fair Use
To ensure fair access and maintain service stability, the infrastructure may apply operational limits to API usage.
These may include rate limits, quotas, and concurrency limits.
Such limits may vary depending on the service being accessed, the Virtual Research Environment, and operational requirements.
The infrastructure operator reserves the right to adjust these limits as needed to preserve the reliability and sustainability of shared services.
9. Prohibited API Usage
The following activities are not permitted:
attempting to bypass authentication or authorization mechanisms, using tokens in unauthorized contexts, generating excessive or abusive request patterns that degrade service performance, performing automated scraping or extraction of data beyond intended usage, or attempting to reverse-engineer or exploit API endpoints.
Such activities may compromise infrastructure stability and security and may lead to restrictions or suspension of access.
10. Security of API Access
API usage must follow good practices for secure software development and operation.
Developers must protect authentication tokens and credentials, avoid exposing tokens in client-side code, and implement secure storage and transmission mechanisms.
Failure to protect credentials may result in unauthorized access and may lead to suspension or revocation of access rights.
11. Monitoring and Enforcement
API usage may be monitored to ensure compliance with this policy, detect misuse or anomalous activity, and maintain system performance and service integrity.
In cases of misuse, the infrastructure operator may limit API access, revoke tokens, suspend or terminate access, or apply other appropriate measures to protect the infrastructure and its users.
12. Changes to APIs
APIs may evolve over time as the infrastructure is updated.
Changes may include the introduction of new endpoints, modification of existing APIs, or deprecation of older interfaces.
Developers are responsible for ensuring that their applications remain compatible with supported APIs. Where possible, significant changes will be communicated in advance.
13. Contact and Support
For technical questions or support related to API usage, developers may contact: https://support.d4science.org
14. Policy Framework
This document forms part of the D4Science Policy Framework.