Google Maps Platform best practices: Securing API keys when using Static Maps and Street View APIs
Google Maps Platform Developer Advocate
In the last of our best practices series, we showed you how to protect your API keys using API key restrictions. Google Maps Platform offers several layers of security to allow you to protect your API keys from unauthorized use, even if you have to publish them openly. In this post, I'll use an analogy to credit card accounts to illustrate how various security features in Google Maps Platform work. In this analogy, think of an API key as the number on one of the credit cards in your wallet.
Guard your API keys like your credit card number
The Maps Static API and Street View Static API are the simplest and most economical ways to publish a custom map or Street View panorama. With these static imagery APIs, you can add a non-interactive map or street view image to any webpage as an image with the source URL being hosted by Google Maps Platform. You could serve up to 100,000 static map views or 28,000 static Street View loads within the monthly $200 billing credit that gets applied to your Google Maps Platform usage.
However, using the static imagery APIs requires you to include your API key in publicly viewable code.
Google Street View underwater imagery captured at Heron Island in the Great Barrier Reef, as it would appear if embedded using Street View Static API
To embed a Street View image like the above into your own webpage with the Street View Static API, you'd need to include an
<img> tag with the
src property set to a URL like the one below. However, anyone viewing the source code for your webpage would be able to see your API key as part of the URL, like the one below:
Feeling a bit nervous for me? Someone could try to copy my key and use it with lots of Google Maps Platform API calls, just like a thief going on an online shopping spree with my credit card number. So, I'll add some protections to make sure my API key can't be used outside my intended uses.
Start with API key restrictions
As shared in the last post, you could add application restrictions to tell Google Maps Platform that this API key should only be used from certain HTTP referrers. That would be like limiting my credit card to only work at a certain retail chain, but someone could still get quite a lot from a single store.
You could also add API restrictions to tell Google Maps Platform that this key can only be used on calls to the Street View Static API. That's like limiting my credit card to only be allowed to purchase books. This greatly reduces how useful my credit card number would be to someone else.
Digital signatures only you can generate
In the realm of hosted imagery, we recommend adding a digital signature as well. Signing a request URL is like using your fingerprint to authorize purchases of a single book title.
To generate a digitally signed URL, you combine your API request URL and API key with a URL signing secret that is maintained in your Google Cloud console. The signing secret is something only you have, like your fingerprint, and the request URL is like the ISBN of a book. The mathematical combination of your fingerprint and the ISBN generates a digital signature that you can publicly share, saying you authorize purchases of that particular book using your credit card number (in this case, you are authorizing loads of this particular static image using your API key).
You can use Google Cloud console to generate the digital signature (instructions for Maps Static API and Street View Static API) for you, or write your own server-side application for generating digital signatures (we provide sample code in the documentation). The digital signature is appended to your URL; below is the signed URL I would use to load the Street View image above.
Limit unsigned requests
Once you've added a digital signature to your static image URL, you can further protect your account by reducing the quota limit on the number of requests without a digital signature using your key to the Maps Static API and/or the Street View Static API in your project.
This video walkthrough shows you how to manage your quota limits in Google Cloud console. For Maps Static API and Street View Static API quotas pages, there are separate sections for managing Signed Requests quota limits and Unsigned Requests quota limits. By default, projects with these APIs enabled allow a maximum of 25,000 unsigned requests per day. If you want to make sure that only digitally signed static imagery URLs can be used with your API key, you can change this quota limit to 0.
With API keys, application restrictions, API restrictions, digital signatures, and quota limits, you can apply five layers of security to prevent unexpected use of your Google Maps Platform credentials. I've used them all together to publish the Street View image above, so even though my API key is publicly viewable, it can only be used on this blog to call the Street View Static API with digitally signed request URLs. Since I've only created one digital signature that's based on the URL for this particular Street View image, this signature won't work with any other Street View images—not even to turn and see another section of the panorama.
Taking our credit card analogy to completion, it's like I've shown you my credit card number but I've told the credit card company to only allow my credit card number to be used for buying paperback copies of Don Quixote by Miguel de Cervantes Saavedra from Powell's Books stores. "El que lee mucho y anda mucho, ve mucho y sabe mucho."
For more information on Google Maps Platform, visit our website.