Authentication
Every request to the Yatmo API carries your backend license key in an HTTP header. There’s no token exchange, no OAuth dance — the key is the credential.
The license-key header
Send your backend key in the LicenseKey HTTP header on every request:
| Name | In | Type | Description |
|---|---|---|---|
| LicenseKey required | header | string | Your Yatmo backend key — the server-to-server one. Not the frontend key used by the plugins. See License & keys for the distinction. |
Use the backend key, never the frontend one
Every Yatmo client gets two keys: a frontend key (safe to embed in HTML, used by the plugins) and a backend key (server-side only, used here). Don’t reuse the frontend key for the REST API — it’s locked to your domains and won’t authenticate. Equally important: never ship the backend key to the browser. Keep it in an environment variable or secrets manager.
Example request
The simplest GET, against the Summary endpoint:
curl -H 'LicenseKey: YOUR_KEY_HERE' \
'https://be.yatmo.com/summary?latitude=50.8520525&longitude=4.3442926&language=EN'Domain + IP restrictions
Your Yatmo account can lock a key to an allow-list:
- Domains / origins — if the request’s
OriginorHostisn’t in the list, the call is rejected. Used by the plugins (the key ends up in HTML source, so origin gating protects against copy-and-paste theft). - IP addresses — useful for server-side integrations. Lock the key to your backend’s outbound IP or a small CIDR range.
Email info@yatmo.com to set up or change domain / IP allow-lists on your key.
Auth errors
- 401 Unauthorized — missing or unknown license key.
- 403 Forbidden — the key exists but the request violates a restriction (wrong origin, IP not on allow-list, country not authorized).
- 429 Too Many Requests — you’re sending too many calls. Slow down; if it persists, email info@yatmo.com.
The response body usually carries a short text reason — log it.