NVD API: keys, documentation, and request limits!
To better serve its growing user base, the NVD is announcing the availability of API keys. Users who request and activate a key may include it as a parameter of their request’s URL string. Along with the release of API Keys, the NVD will be unveiling new API documentation and information to help new developers get started with the NVD API. Beginning six months after the release of the API keys, users transmitting requests without a key will see a reduction in the number of requests they can make in a rolling 60 second window. Users transmitting requests that include their API key will see no change in service and may continue to make requests at the current rate.
Requesting an NVD API key:
Users may obtain an API key by visiting https://nvd.nist.gov/developers/request-an-api-key.
Immediately after activation, API keys can be included as a parameter of the requestor’s URL string.
API keys will be associated with the email address of a single requestor. Keys should not be used by, or shared with, individuals or organizations other than the original requestor. Queries from an organization having multiple requestors might employ a proxy service or firewall. This may make all requests from that organization to appear to be coming from the same user. If multiple employees are transmitting requests, the rate limits are for the user’s proxy server/firewall, not the individual user. It is recommended that organizations who may fall into this category employ the best practices provided below to avoid exceeding their rate limit.
Users who choose not to obtain an API key may continue to transmit requests at the current rate until the changes take effect. Beginning six months after the release of the API keys, users transmitting requests without a key will see a reduction in the number of requests, they can make in a rolling 60 second window. It is recommended that users choosing not to request an API key employ the best practices provided below to avoid exceeding their rate limit.
Best practices for using the NVD API:
The best practice for making requests within either rate limit is to use the modified date parameters. No more than once every two hours, automated requests should include a range where modStartDate equals the time of the last response received and modEndDate equals the current time. Enterprise scale development should enforce this approach through a single requestor to ensure all users are in sync and have the latest CVE and CPE information. It is also recommended that users "sleep" their scripts for six seconds between requests.
The National Vulnerability Database Team