InBe Docs

Setup

Create an account, get your API key, and make authenticated requests in under two minutes.

This page gets you signed in, issued an API key, and making your first authenticated request.

Create an account and sign in

You’ll need to be signed in to generate an API key.

Get your API key

Once you are on the access page an API key will be generated for you. Copy this key and store it securely.

All requests are authenticated by passing your key in a header field called API-KEY.

.env.local
API_KEY=your_key_here

API Key Types

Secret Key (`sk_*`) - Server-Side Only

  • Use Case: Server-to-server communication
  • Security: Never expose to client applications
  • Permissions: Full access to all endpoints
  • Rate Limits: Based on subscription tier

Public Key (`pk_*`) - Client-Side Safe

  • Use Case: Mobile app direct API access
  • Security: Safe to embed in mobile apps
  • Permissions: Read-only access to safe endpoints
  • Rate Limits: Same as secret keys (based on subscription tier)

More information

More information about API key types with implementation examples can be found below.

Make an authenticated request

All requests require API key auth via the API-KEY header.

Terminal
curl -X POST https://api.inbe.us/v1/search \
  -H "Content-Type: application/json" \
  -H "API-KEY: $API_KEY" \
  -d '{
    "mode": "midpoint",
    "locations": [
      { "lat": 51.5072, "lon": -0.1276 },
      { "lat": 51.5154, "lon": -0.1419 }
    ],
    "preferences": { "establishment": ["coffee_shop"] }
  }'

Security best practice

  • Do not expose API keys in client-side code or mobile apps
  • Use environment variables/secret managers for server-side storage
  • Scope usage and monitor via the dashboard

Rate limits

Rate limits depend on your plan. You’ll see current usage and remaining quota in the dashboard, and standard X-* headers on responses.

BuilderHobbyistStartUpScaleEnterprise
Requests per second12525unlimited
Requests per 24 hours300100010000100000unlimited

Request pricing

We give all new customers £10 credit, giving you over 1600 requests to get started before you need to top up or upgrade to a paid plan.

Request typePrice per 1000
Search£6
Detail Basic£8
Detail Advanced£12
Venue Menus£6

API Keys

This guide explains how to securely integrate the InBe API into mobile and client-side applications, following industry best practices for API key security. Server-side applications do not need to follow these patterns.

If you are unsure which pattern to use, we recommend the Server Proxy pattern.

Public keys

Public keys can only access read-only endpoints.

Pattern 1: Server Proxy

This pattern is recommended, particularly for large companies.

How it works:

  1. Mobile app → Your server → InBe API
  2. Secret key stored securely on your server
  3. Mobile app uses your own authentication
  4. Your server then makes the request to the InBe API using the secret key sk_*

Benefits:

  • Maximum security
  • Full control over rate limiting
  • Can add additional business logic
  • Secret key never exposed

Limitations:

  • Additional latency
  • Additional complexity

Implementation:

Your server endpoint
app.post("/api/search-establishments", authenticateUser, async (, ) => {
  const  = await ("https://api.inbe.com/v1/search", {
    : "POST",
    : {
      "API-Key": .., // sk_*
      "Content-Type": "application/json",
    },
    : .(.body),
  });
 
  .json(await .());
});

Pattern 2: Direct API Access

This pattern can be used if have a smaller scale project or solution and you are not concerned about the security of your API key.

How it works:

  1. Mobile app → InBe API directly
  2. Public key embedded in mobile app
  3. Limited to read-only operations

Benefits:

  • Simpler implementation
  • Lower server costs
  • Faster response times

Limitations:

  • Public key can be extracted from app

Example Implementation:

Mobile app
const  = async () => {
  const  = await ("https://api.inbe.com/v1/search", {
    : "POST",
    : {
      "API-Key": "pk_*", // Public key - safe to embed
      "Content-Type": "application/json",
    },
    : .({  }),
  });
 
  return .();
};

More information

If your key is compromised, you can rotate ethier or both in the access page in the dashboard.

Security Best Practices

For Mobile Apps Using Public Keys

  • Obfuscation: Use code obfuscation to make key extraction harder

  • Certificate Pinning: Implement SSL certificate pinning
  • Runtime Checks: Add anti-debugging and root detection
  • Monitoring: Monitor for unusual usage patterns

For Server-Side Integration

  • Environment Variables: Store secret keys in environment variables

  • Access Logging: Log all API usage
  • Rate Limiting: Implement your own rate limiting
  • Error Handling: Don't expose internal errors to clients

Authentication errors

If authentication fails, you’ll receive a 401 response:

401 Unauthorized
{
  "error": "Unauthorized",
  "message": "Invalid API key",
  "code": 401
}

Next steps

Explore the Search API

Start getting locations, and tailoring your search.

Billing

Understand plans, usage, top ups, automatic top ups, and invoices.

On this page