Menu data is valuable. It represents a restaurant’s brand, pricing strategy, and competitive positioning. It also powers limited-time offers, regional variations, and location-specific pricing.
EveryBite’s access levels give restaurants complete control over who can access their data, what information they can see, and who can update it. A chain with different menus in the South? Supported. A franchisee who manages their own LTOs? No problem. A parent company that needs visibility across all brands? Built in.
Why Access Levels Matter
Restaurant ownership structures are complex. A single restaurant, a regional franchise group, and a global brand parent company all have different needs—and different rights to the data.
Consider a parent company like Yum! Brands. They own Taco Bell, KFC, and Pizza Hut. A technology partner building an app for Yum! needs access to all three chains. But a franchisee building a local ordering app should only see their own locations. And a third-party delivery service partnering with one KFC location shouldn’t see data from the location across town.
EveryBite’s access levels mirror these real-world relationships:
| Level | Who Uses It | What They See |
|---|
| Restaurant | Single locations, franchisees | One location’s menus |
| Chain | Restaurant chains, regional groups | All locations in the chain |
| Brand | Parent companies, enterprise partners | All chains under the brand |
- Chains maintain consistency while allowing regional variation
- Parent companies get portfolio-wide visibility without exposing individual operator data
- Third-party partners access only what they’ve been explicitly granted
API Keys
Your API key is your credential for accessing menu data. Each key is scoped to a specific level in the restaurant hierarchy based on your relationship with the brand.
# Include your API key in the Authorization header
Authorization: pk_YWJjMTIzLWRlZjQ1Ni03ODkw.x9Kj2mNpQrStUvWxYz
Key Types
Restaurant Key
Chain Key
Brand Key
For: Single-location restaurants or franchiseesAccess: One restaurant location and its menus
For: Restaurant chains with multiple locationsAccess: All restaurants in the chain and their menus
For: Parent companies with multiple chainsAccess: All chains, all restaurants, all menus
Getting Your Key
Coming Soon — We’re rolling out developer sandbox access. Contact us to join the early access waitlist. Keep your API key secure. Do not expose it in client-side code or public repositories. Always proxy API requests through your backend.
Environments
| Environment | Base URL | Status |
|---|
| Sandbox | https://api.everybite.com/smartmenu/graphql | Coming soon |
| Production | https://api.everybite.com/smartmenu/graphql | Partner access |
Sandbox access is rolling out to early partners. Contact us to join the waitlist. Session-Based Context
All guest context is bound to the session when you call startSession. This includes:
- Chain & Location — Which restaurant and location
- Platform — Touchpoint:
IOS, ANDROID, WEB, KIOSK, POS, VOICE
- Guest Identity — Your guest ID or loyalty ID
- Passport — EveryBite Passport ID, if they have one
Once the session is created, your runtime API calls only need three headers:
curl -X POST https://api.everybite.com/smartmenu/graphql \
-H "Authorization: pk_YOUR_API_KEY" \
-H "Content-Type: application/json" \
-H "X-Session-ID: sess_7f3a9c2e-8b1d-4e5f-a6c0-9d2e8f1a3b5c" \
-d '{"query": "..."}'
EveryBite Passport
If a guest has an EveryBite Passport, include their passportId when starting the session. This loads their saved dietary preferences automatically—no need to pass filters manually.
See the Quickstart for complete session and header examples.
Rate Limits
| Key Type | Requests/minute | Requests/day |
|---|
| Restaurant | 60 | 10,000 |
| Chain | 300 | 100,000 |
| Brand | 1,000 | Unlimited |
X-RateLimit-Limit: 300
X-RateLimit-Remaining: 297
X-RateLimit-Reset: 1703001600
Error Codes
| Code | Meaning | Solution |
|---|
INVALID_API_KEY | Key is malformed or expired | Check your key, request a new one if expired |
UNAUTHORIZED_ACCESS | Key doesn’t have access to requested data | Verify your key’s access level |
RATE_LIMITED | Too many requests | Slow down, implement backoff |
KEY_REVOKED | Key has been revoked | Contact support |
