Perigee

Acceptable use & API

Build boldly. Leave the channel clear.

This policy protects shared access to Perigee, its upstream public-data providers, and the people who rely on clear provenance and safety limits. It applies to human and automated use of the site, REST API, MCP endpoints, OAuth, email, and developer credentials.

Effective July 9, 2026

Scope and core rule

This policy is incorporated into the Perigee Terms of Service. Use Perigee lawfully, within documented product and plan limits, without harming users, Cardin LLC, Perigee, data providers, or other services. If a use could materially affect safety, preserve context and send users to authoritative sources.

Permitted use

Subject to your plan and these rules, you may:

  • browse public pages and use planning tools for personal, educational, research, and commercial workflows;
  • call the documented REST API and MCP tools from applications, scripts, agents, and approved integrations;
  • cache results for reasonable performance, reliability, or offline use while retaining relevant timestamps, sources, units, datum, and warnings;
  • transform or summarize results when the output remains truthful about uncertainty, freshness, and source; and
  • use underlying NOAA or other public data under the terms that apply to that data, independently of rights in Perigee's service, branding, and original materials.

Prohibited use

You may not use Perigee to:

  • violate law, regulation, court order, or another person's rights;
  • facilitate violence, exploitation, harassment, stalking, fraud, phishing, malware, credential theft, or unauthorized surveillance;
  • probe, scan, exploit, or bypass security except for good-faith research conducted under the security reporting policy;
  • access another person's account, data, organization, subscription, credential, or private workflow without authorization;
  • interfere with availability, overwhelm endpoints, send malicious payloads, abuse email or OAuth flows, or impose unreasonable provider cost;
  • evade quotas, suspensions, billing, or access controls by rotating IPs, accounts, credentials, clients, or request shapes;
  • resell, sublicense, or publicly distribute Perigee credentials or offer the hosted service as an unmodified pass-through under another name;
  • scrape authenticated or non-public surfaces, personal information, or email addresses, or build a profile of a person without valid authority;
  • misrepresent Perigee output as an official NOAA, NWS, Coast Guard, or government warning, chart, certification, endorsement, or guarantee; or
  • remove or conceal source, units, datum, timestamps, confidence, freshness, missing-data states, or safety warnings where doing so could materially mislead a user.

Safety-critical and high-risk use

A safety-adjacent application must obtain appropriate official and local information, design for missing or stale data, show provenance and update time, communicate uncertainty, provide human review, and fail safely. Perigee's “go,” “caution,” “avoid,” or similar decision labels are planning interpretations—not clearances, commands, or warranties.

API credentials and OAuth

  • Keep API keys, OAuth client secrets (if any), access tokens, refresh tokens, session tokens, webhook secrets, and authorization codes private.
  • Use a separate credential per application or environment when available. Do not place secrets in browser bundles, public repositories, screenshots, logs, prompts, support messages, or shared documents.
  • Request only the access needed, validate OAuth state and redirects, and revoke credentials that are exposed, unused, or no longer authorized.
  • You remain responsible for systems that act with your credential. A plan or quota is not permission to generate abusive or wasteful traffic.

Rate limits, quotas, and retries

Respect the limits shown in documentation, headers, account state, and checkout. Limits may apply separately by IP address, key, OAuth token, account, transport, operation, product, or time window. A 429 response means stop and honor Retry-After before retrying.

Use caching, bounded concurrency, request deduplication, timeouts, and exponential backoff with jitter. Do not retry non-retryable validation or authorization errors. Do not fan out identical requests across credentials to defeat a limit. Contact us before a planned load test or unusually high volume that could affect shared service.

Data handling and privacy

  • Send only data necessary for the requested coastal or developer task. Do not place passwords, card data, government identifiers, medical records, precise personal itineraries, or other sensitive personal information into free-form fields, prompts, key names, or URLs.
  • Have a lawful basis and required notices or consent for personal data processed through your application. Honor deletion and access rights that apply to data you control.
  • Do not use Perigee output to infer protected or highly sensitive traits about a person or to make eligibility decisions in employment, housing, credit, insurance, healthcare, education, or legal services.

Perigee's handling of account and service data is described in the Privacy Policy.

AI agents and downstream users

If an AI assistant, application, embed, or automated workflow presents Perigee-derived information to someone else, you are responsible for the downstream experience. Do not fabricate unavailable readings, silently turn “unknown” into a confident result, or hide that conditions may have changed. Make it reasonably clear when output is generated or summarized and give users a path to the current source when context matters.

Security research

Good-faith security reports are welcome. Follow the scope and handling instructions on the Security page and security.txt. Do not access unnecessary data, degrade service, use social engineering, perform denial-of-service testing, or publicly disclose an unresolved issue in a way that increases risk.

Enforcement

Cardin LLC may rate-limit, reject, quarantine, revoke credentials, or suspend affected access when reasonably necessary to enforce this policy, protect service or provider availability, investigate abuse, comply with law, or reduce a credible security or safety risk. Serious or repeated violations may result in account termination. Enforcement does not create a duty to monitor every request or downstream use.

Reporting and contact

Report abuse or ask whether a planned use is allowed at ryandcardin@gmail.com. Include the relevant URL, account or key prefix (never the full secret), approximate time, and a concise description. Security vulnerabilities should follow the security reporting process.