I have my api calls coming from secure server side code. However the rate limit of 40 calls per 10 seconds per IP address is likely to cause issues. To overcome the problem we discussed moving the API call into Javascript on the client. But that will expose the API key.

Any advise here? It seems the way you have limits setup is not great for web development.