Authentication
Every request to the Mountaya developer platform carries an API key that identifies your organization and scopes what it may do. Most surfaces also require a short-lived session token. This page covers both, the query-parameter fallbacks for browser navigations, and how rate limiting surfaces.
API keys
Keys come in a pair. Choose which to use by where the request runs.
Publishable keypk_…
Safe to ship in a browser or mobile app. Authorizes Map Embedding and the Tile and Data APIs (subject to scopes), and is restricted to the origins you allow. Sent in the X-API-Key header.
Secret keysk_…
Authorizes privileged operations, most importantly minting session tokens. Keep it on a server you control and never expose it to a browser. Sent in the X-API-Key header of the session-minting call.
Scopes
Each key carries scopes that gate which products it can reach. Enable only what an integration needs.
dataAccess to the Data API for routing, places, and geometry analysis.
tilesAccess to the Tile API: overlay specifications and {z}/{x}/{y} tiles.
embeddingPermission to embed the studio in an iframe. Requires the tiles scope, since the studio renders tiles.
Session tokens
A session token (sess_…) is a short-lived credential derived from your key pair. The Data API requires one on every request. Map Embedding requires one whenever your organization enables session enforcement (require_session_token); organizations without their own backend can leave it off and embed with just a publishable key and origin validation.
1
Call POST /v1/sessions on internal.mountaya.com. The secret key authorizes the call in the X-API-Key header; the publishable key the token is minted for goes in the body.
2
A successful call returns 201 Created with the token and the moment it expires.
Tokens live for 5 minutes. Mint a fresh one before it expires; minting is cheap and reuses a cached token within its validity window.
3
Pass the session token in the X-Session-Token header alongside your publishable key. Both headers are required on every Data API request.
OAuth for MCP connectors
The MCP server accepts a second, interactive authentication path built for AI assistants: instead of sending keys, you connect once over OAuth. The assistant discovers Mountaya's OAuth server from the connector URL and registers itself (no app to create), you sign in with your Mountaya account, and on a consent screen you choose which publishable key the assistant should act with. From then on the assistant carries an access token, scoped to that key's organization, and you never paste a key into its config. This is the path Claude, ChatGPT, and similar assistants use; see connect your assistant over OAuth for the full flow.
The same MCP endpoint also accepts the pk_/sk_ header pair for non-interactive clients. A client you script yourself can skip OAuth entirely and send a publishable key in X-API-Key and a secret key in X-Secret-Key on each request, and the server brokers a session token for it, exactly as the MCP server page documents. Use OAuth for an assistant a person signs into; use the key pair for an unattended client.
Query-parameter fallbacks
Some browser navigations, such as an <iframe src> or a download <a href>, cannot set custom headers. For those cases the publishable key and session token may travel as query parameters instead of headers:
?publishable_key=pk_…is accepted in place of theX-API-Keyheader.?session_token=sess_…is accepted in place of theX-Session-Tokenheader.
The header form always takes precedence when both are present.
Errors and rate limits
Each product documents the errors specific to its requests; this section covers the model shared across the platform.
Rate limiting
Limits are applied per key. When you exceed one, the API responds with 429 Too Many Requests and a Retry-After header giving the number of seconds to wait. Back off for that interval, then retry, ideally with exponential backoff if you retry repeatedly.
GraphQL errors
The Data API is GraphQL, so it answers with 200 OK even when a query fails and reports problems in an errors array. Each entry carries a human-readable message, the response path it applies to, and an extensions object with machine-readable detail such as an error code.
Inspect errors on every Data API response, not just the HTTP status. A partial result can return both data and errors together. Rate limiting still surfaces as a 429 with Retry-After at the transport layer, before a GraphQL response is produced.