Google Maps Platform

Google Maps Platform best practices: Restricting API keys

gmaps_api.jpg

Editor’s Note: Today’s post comes from Mike Pegg–head of our Google Maps Platform developer relations team and longtime Maps developer (you might remember him from the Google Maps Mania blog). Today, Mike and his team are kicking off a three-part series on best practices for using Google Maps Platform. 

We know you put a lot of time and energy into creating experiences your users love, and we’re here to make sure you have the tools you need to bring Google’s knowledge about the world to everything you build. Part of that is helping you keep your Google Maps Platform integration efficient and secure. First up in our series is what you should do to control and prevent any unwanted or unexpected usage of your Google Maps Platform project. Today’s topic: restricting your API keys.

With the exception of Maps URLs, all Google Maps Platform APIs and SDKs require you to send an API key with all calls. API keys are generated in the Google Cloud console, and act as unique identifiers that authenticate the calls you make to Google Maps Platform and ensure they are billed to the correct account. Your API keys are the primary way we authenticate your access to Google Maps Platform APIs and SDKs. 

Why should I restrict my API keys?
Restricting your API keys helps ensure your Google Maps Platform account is secure. Just like the keys to your house or your car, it’s important to protect them to make sure they can only be used by the people and in the way you want. We strongly recommend that you restrict your API keys when you generate them in the Google Cloud console. You can always change the restrictions later, if you need to.

What’s an API key restriction?
API key restrictions are settings you apply to an API key that limit which applications, APIs, and SDKs can be used with that key. For example, you can specify that an API key can only be used to make calls from an Android app that has your app’s package name, or to the Geocoding API from a server with an IP address that matches the server your backend service is running on.

Think of this like how you think about passwords. Using a single password for multiple websites means that a stolen password would grant a thief access to many different things. API key restrictions make it possible for you to limit what a key can be used for, limiting your exposure if your key were ever compromised–just like keeping separate passwords for multiple websites.

What types of API key restrictions are available?
There are two types of API key restrictions: API restrictions and application restrictions.  Application restrictions limit usage of the API key to a specific web site, web server, or application. Google Maps Platform supports four types of application restrictions:

  • HTTP referrers: restricts usage to one or more URLs and is intended for keys that are used in websites and web apps. This type of restriction allows you to set restrictions to a specific domain, page or set of pages in your website.

  • IP addresses: restricts usage to one or more IP addresses, and are intended for securing keys used in server-side requests, such as calls from web servers and cron jobs.

  • Android app restriction: restricts usage to calls from an Android app with a specified package name.

  • iOS app restriction: restricts usage to calls from an iOS app with a specified bundle identifier.

API restrictions limit usage of the API key to one or more APIs or SDKs. For example, if your mobile app only uses the Maps SDK for Android and Places SDK for Android, you can restrict the API key to only those two SDKs. You may set an API key to authorize access to as many APIs and SDKs as you want, but we strongly recommend that you limit the list to only those that are needed.

What are best practices for applying API key restrictions?
Here are a few simple guidelines you can use to determine which API key restrictions you should use and how to use them with your Google Maps Platform integrations:

  1. Use a separate API key per source and restrict each with an application restriction. For example, create separate API keys for your Android app and web app and restrict them with the Android app and HTTP referer application restrictions, respectively.

  2. Apply an application restriction and one or more API restrictions to all your API keys. This will provide the maximum security by limiting what application can use your key and what APIs or SDKs it can be used with.

  3. Never use the same API key for client-side (mobile app, web app) and server-side applications.

How do I restrict my API keys?
Restricting an API key is fast and easy. You can do it at any time from the credentials tab of the APIs & Services page of the Google Cloud console. But as I mentioned earlier, we recommend you apply some restrictions to every key you generate when you generate it. To learn how to restrict an API key, follow the walkthrough in our docs or watch this video. 

We’re constantly amazed by the things developers and businesses create with Google Maps Platform, and we want to do whatever we can to make you successful. Restricting your API keys is one easy way to keep your account secure, and to limit unauthorized usage if your key is ever compromised.

For more best practices, look out for the next blog post in our series, as well as our optimization guide. And don’t be afraid to ask questions on our StackOverflow tag

For more information on Google Maps Platform, visit our website.