DocsOverview

Backend Examples

Every PickPoint API call requires an X-Api-Key header. That key is the credential to your account - it controls billing, rate limits, and access. If it leaks, anyone can use your quota until you notice and rotate the key.

API keys must never appear in client-side code. Browser JavaScript can be read by anyone who opens DevTools. iOS/Android binaries can be decompiled with freely available tools. Flutter apps bundle Dart source into a recoverable form. Any key you embed in a client app should be considered public - treat it that way from day one.

The correct architecture

Your backend holds the PickPoint key and acts as a proxy. Clients authenticate against your backend using your own auth system (JWT, session cookie, OAuth token). Your backend validates the request, calls PickPoint, and returns the result.

Geocoding & Routing

Client App🌐 BrowserπŸ“± Mobile appπŸ–₯️ DesktopπŸ”‘ PICKPOINT_KEYYour Backendβœ“ Auth & rate-limitingβœ“ Response cachingβœ“ Audit loggingPickPoint APIπŸ“ GeocodingπŸ—ΊοΈ Routingrequestresultyour authrequestresultX-Api-Key

Device Tracking

DEVICE (sends location)IoT / Mobile Device πŸ“± iOS / Android / Flutter πŸ”§ IoT sensor / hardwaredirect WebSocket Β· location updatesclient-id + client-secretPickPointTracking WSπŸ“‘ Receives locationsπŸ“‘ Pushes to subscribersπŸ’Ύ Stores track history wss://ws.pickpoint.io /v2/trackingSUBSCRIBER (receives live feed)Dashboard / App πŸ–₯️ Dispatch screen 🌐 Browser mapπŸ”‘ API KEYYour BackendSubscribes Β· fans out eventsX-Api-Keylocation events

What you get beyond security

  • Rate limiting per user. Throttle individual users before they hit your PickPoint quota. One misbehaving client can't exhaust everyone's allowance.
  • Response caching. Geocoding output for a given address is stable - coordinates don't change unless OSM data changes. Cache them in Redis, Postgres, or even in-process memory. Repeat calls return instantly with zero API cost.
  • Audit log. Record every request - user ID, endpoint, query, timestamp, response latency - without any PickPoint involvement. Essential for debugging, billing reconciliation, and compliance.
  • Key rotation without client updates. When you rotate the PickPoint key, only the server env var changes. No app store release, no forced update, no coordination with mobile clients.

Device tracking - two different auth models

Tracking is the one area where the rule is more nuanced, because PickPoint uses two separate authentication schemes:

RoleCredentialsCan use from client?
Device (sends location)client-id + client-secret - per-device credentials, not the account keyβœ… Yes - safe to embed in mobile/IoT firmware
Subscriber (receives live feed)x-api-key - the account API key❌ No - must stay on your backend

A device's client-secret only lets that specific device stream its own location. Even if it leaks, an attacker can only impersonate that one device - they cannot access other devices, history, or any other API. Rotate the device credentials if a device is lost or compromised.

For subscriber dashboards, the backend integration pattern applies: your backend holds the API key, subscribes to PickPoint's WebSocket, and fans events out to authenticated browser clients.

Security checklist

  • Store PICKPOINT_KEY in an environment variable, never in source code.
  • Add .env to .gitignore - and verify it's there before the first commit.
  • Use separate keys for development, staging, and production so a staging breach doesn't affect production.
  • Set up usage alerts in your PickPoint dashboard - an unexpected spike is the first sign of a leaked key.
  • Rotate the key immediately if you suspect exposure. Rotation takes effect instantly on PickPoint's side.
  • Configure CORS on your proxy so only your frontend origins can call it.

Proxy endpoint reference

Your endpointMethodPickPoint API
/geo/forwardGET/v2/geocode/forward
/geo/reverseGET/v2/geocode/reverse
/geo/searchGET/v2/address/search
/routePOST/v2/route
/route/optimizedPOST/v2/route/optimized
/devicesGET/v2/devices
/devices/:uid/tracksGET/v2/devices/:uid/tracks
/tracking-relayWSwss://ws.pickpoint.io (subscriber)

Node.js / ExpressPython / FastAPIRuby / SinatraGoJava / Spring Boot