API Keys Overview

An API key is a simple encrypted string that you can use when calling Google Cloud APIs. A typical use of an API key is to pass the key into a REST API call as a query parameter with the following format:

http://example-library.googleapis.com/v1/publishers/mypublisher/books?key=API_KEY

API keys are useful for accessing public data anonymously, and are used to associate API requests with the consumer Google Cloud project for quota and billing.

API Keys provides you a programmatic interface to create and manage API keys for your project. It provides you more control over API keys than the API key-related tasks that you can do in the Cloud Console.

To learn more about authenticating to Google Cloud APIs and to determine the best authentication strategy for common scenarios, see Authentication overview. To learn more about using API keys for Google Maps Platform APIs and SDKs, see the Google Maps Platform documentation.

Securing an API key

When you use API keys in your applications, ensure that they are kept secure during both storage and transmission. Publicly exposing your credentials can result in your account being compromised, which could lead to unexpected charges on your account. To help keep your API keys secure, follow these best practices:

  • Do not embed API keys directly in code. API keys that are embedded in code can be accidentally exposed to the public. For example, you may forget to remove the keys from code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree.

  • Add restrictions on the API key. By adding restrictions, you can reduce the impact of a compromised API key.

  • Delete unneeded API keys to minimize exposure to attacks.

  • Rotate your API keys periodically. You can rotate API keys by calling the CloneKey method. Then, update your applications to use the newly-generated keys and delete the old keys.

  • Review your code before publicly releasing it. Ensure that your code does not contain API keys or any other private information before you make your code publicly available.

What's next