License & API keys

Every Yatmo client gets two license keys — one for things that run in a browser, one for server-to-server calls. Use the right key for the right place and you can stop worrying about security.

You get two keys

	Frontend key	Backend key
Where it runs	In the browser — ends up in HTML source.	On your server — never reaches the browser.
Used by	The iframe plugin, JavaScript plugins, WordPress plugins.	The REST API — server-side scoring jobs, custom map UIs, content pipelines.
Locked by Yatmo to	The list of domains you authorise.	The list of IP addresses (or CIDR ranges) you authorise.
Safe to expose?	Yes — the domain lock-down makes a leaked key useless to anyone else.	No — treat it like a database password. Environment variable, secrets manager, never in source control.

The frontend key

Used by anything that runs in a visitor’s browser:

The iframe plugin — the key is a URL parameter on the <iframe src>.
The JavaScript plugins (Map, Summary, Summary-as-text) — the key is set on a global config object.
The WordPress plugins — the key is in your WP plugin settings page.

The key being visible in HTML source is fine. Send Yatmo the list of domains your site uses, and the team will lock the key to those domains. Requests from any other origin are rejected.

The backend key

Used by your server when it calls the Yatmo REST API directly (bulk scoring jobs, custom map UIs you render server-side, content-generation pipelines, etc.).

Send it as the LicenseKey HTTP header on every request.
Keep it server-side — environment variable or secrets manager.
Send Yatmo the list of IP addresses or CIDR ranges your server uses; the team will lock the key to those.

Don’t mix them up

The keys aren’t interchangeable. Using the frontend key on the REST API will be rejected; using the backend key in an iframe URL exposes a credential that shouldn’t be public. Each key is locked to its own world.

Dev vs production

It’s a good idea to use a separate pair of keys in development and production — so four keys total: frontend-dev, frontend-prod, backend-dev, backend-prod. Dev keys are locked to localhost / staging hosts; production keys to your live domains / live server IPs.

How to obtain them

Belgium: contact our exclusive reseller Immovlan.
Luxembourg: contact our exclusive reseller Immotop.
Other markets: email info@yatmo.com — we’ll set you up directly or point you at the right partner. Tell us which integrations you’ll use and we’ll issue the right keys.