This page describes how to create, edit, and restrict API keys.
Introduction to API keys
When you use an API key to authenticate to an API, the API key does not identify a principal. The API key associates the request with a Google Cloud project for billing and quota purposes. Without a principal, the request can't use Identity and Access Management (IAM) to check whether the caller is authorized to perform the requested operation.
An API key has the following components, which you use to manage and use the key:
- String
- The API key string is an encrypted string, for example,
AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe
. When you use an API key to authenticate, you always use the key's string. API keys do not have an associated JSON file. - ID
- The API key ID is used by Google Cloud administrative tools to uniquely identify the key. The key ID cannot be used to authenticate. The key ID can be found in the URL of the key's edit page in the Google Cloud console. You can also get the key ID by using the Google Cloud CLI to list the keys in your project.
- Display name
- The display name is an optional, descriptive name for the key, which you can set when you create or update the key.
Before you begin
Complete the following tasks to use the samples on this page.
Set up authentication
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
C++
To use the C++ samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up authentication for a local development environment in the Google Cloud authentication documentation.
Java
To use the Java samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up authentication for a local development environment in the Google Cloud authentication documentation.
Python
To use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up authentication for a local development environment in the Google Cloud authentication documentation.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.
Required roles
To get the permissions that you need to manage API keys, ask your administrator to grant you the following IAM roles on your project:
-
API Keys Admin (
roles/serviceusage.apiKeysAdmin
) -
Restrict an API key to specific APIs by using the Google Cloud console:
Service Usage Viewer (
roles/serviceusage.serviceUsageViewer
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Create an API key
To create an API key, use one of the following options:
Console
In the Google Cloud console, go to the Credentials page:
Click Create credentials, then select API key from the menu.
The API key created dialog displays the string for your newly created key.
gcloud
You use the
gcloud services api-keys create
command
to create an API key.
Replace DISPLAY_NAME
with a descriptive name for your
key.
gcloud services api-keys create --display-name=DISPLAY_NAME
C++
To run this sample, you must install the API Keys client library.
Java
To run this sample, you must install the
google-cloud-apikeys
client library.
Python
To run this sample, you must install the API Keys client library.
REST
You use the
keys.create
method
to create an API key. This request returns a
long-running operation; you must poll
the operation to get the information for the new key.
Replace the following values:
DISPLAY_NAME
: Optional. A descriptive name for your key.PROJECT_ID
: Your Google Cloud project ID or name.
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d {'"displayName" : "DISPLAY_NAME"'} \ "https://apikeys.googleapis.com/v2/projects/PROJECT/locations/global/keys"
For more information about creating API keys using the REST API, see Creating an API key in the API Keys API documentation.
Copy your key string and keep it secure. Use API key restrictions to limit how the key can be used.
Apply API key restrictions
API keys are unrestricted by default. Unrestricted keys are insecure because they can be used by anyone from anywhere. For production applications, you should set both application restrictions and API restrictions.
Add application restrictions
Application restrictions specify which websites, IP addresses, or apps can use an API key.
You can apply only one application restriction type at a time. Choose the restriction type based on your application type:
Option | Application type | Notes |
---|---|---|
HTTP referrers | Web applications | Specifies the websites that can use the key. |
IP Addresses | Applications called by specific servers | Specifies the servers or cron jobs that can use the key. |
Android apps | Android applications | Specifies the Android application that can use the key. |
iOS apps | iOS applications | Specifies the iOS bundles that can use the key. |
HTTP referrers
To restrict the websites that can use your API key, you add one or more HTTP referrer restrictions.
You can substitute a wildcard character (*
) for the subdomain or the path, but
you cannot insert a wildcard character into the middle of the URL. For example,
*.example.com
is valid, and accepts all sites ending in .example.com
. However,
mysubdomain*.example.com
is not a valid restriction.
Port numbers can be included in HTTP referrer restrictions. If you include a port number, then only requests using that port are matched. If you do not specify a port number, then requests from any port number are matched.
You can add up to 1200 HTTP referrers to an API key.
The following table shows some example scenarios and browser restrictions:
Scenario | Restrictions |
---|---|
Allow a specific URL | Add a URL with an exact path. For example:www.example.com/path www.example.com/path/path Some browsers implement a referrer policy that sends only the origin URL for cross-origin requests. Users of these browsers can't use keys with page-specific URL restrictions. |
Allow any URL in your site | You must set two URLs in the allowedReferers list.
|
Allow any URL in a single subdomain or naked domain |
You must set two URLs in the
|
To restrict your API key to specific websites, use one of the following options:
Console
In the Google Cloud console, go to the Credentials page:
Click the name of the API key that you want to restrict.
In the Application restrictions section, select HTTP referrers.
For each restriction that you want to add, click Add an item, enter the restriction, and click Done.
Click Save to save your changes and return to the API key list.
gcloud
Get the ID of the key that you want to restrict.
The ID is not the same as the display name or the key string. You can get the ID by using the
gcloud services api-keys list
command to list the keys in your project.Use the
gcloud services api-keys update
command to add HTTP referrer restrictions to an API key.Replace the following values:
KEY_ID
: The ID of the key that you want to restrict.ALLOWED_REFERRER_1
: Your HTTP referrer restriction.You can add as many restrictions as needed; use commas to separate the restrictions. You must provide all referrer restrictions with the update command; the referrer restrictions provided replace any existing referrer restrictions on the key.
gcloud services api-keys update KEY_ID \ --allowed-referrers="ALLOWED_REFERRER_1"
Java
To run this sample, you must install the
google-cloud-apikeys
client library.
Python
To run this sample, you must install the API Keys client library.
REST
Get the ID of the key that you want to restrict.
The ID is not the same as the display name or the key string. You can get the ID by using the keys.list method. The ID is listed in the
uid
field of the response.Replace
PROJECT_ID
with your Google Cloud project ID or name.curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://apikeys.googleapis.com/v2/projects/PROJECT_ID/locations/global/keys/"
Use the keys.patch method to add HTTP referrer restrictions to the API key.
This request returns a long-running operation; you must poll the operation to know when the operation completes and get the operation status.
Replace the following values:
ALLOWED_REFERRER_1
: Your HTTP referrer restriction.You can add as many restrictions as needed; use commas to separate the restrictions. You must provide all referrer restrictions with the request; the referrer restrictions provided replace any existing referrer restrictions on the key.
PROJECT_ID
: Your Google Cloud project ID or name.KEY_ID
: The ID of the key that you want to restrict.
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ --data '{ "restrictions" : { "browserKeyRestrictions": { "allowedReferrers": ["ALLOWED_REFERRER_1"] } } }' \ "https://apikeys.googleapis.com/v2/projects/PROJECT_ID/locations/global/keys/KEY_ID?updateMask=restrictions"
For more information about adding HTTP referrer restrictions to a key using the REST API, see Adding browser restrictions in the API Keys API documentation.
IP Addresses
You can specify one or more IP addresses of the callers, such as a web server or cron job, that are allowed to use your API key. You can specify the IP addresses in any of the following formats:
- IPv4 (
198.51.100.1
) - IPv6 (
2001:db8::1
) - A subnet using CIDR notation (
198.51.100.0/24
,2001:db8::/64
)
Using localhost
is not supported for server restrictions.
To restrict your API key to specific IP addresses, use one of the following options:
Console
In the Google Cloud console, go to the Credentials page:
Click the name of the API key that you want to restrict.
In the Application restrictions section, select IP addresses.
For each IP address that you want to add, click Add an item, enter the address, and click Done.
Click Save to save your changes and return to the API key list.
gcloud
Get the ID of the key that you want to restrict.
The ID is not the same as the display name or the key string. You can get the ID by using the
gcloud services api-keys list
command to list the keys in your project.Use the
gcloud services api-keys update
command to add server (IP address) restrictions to an API key.Replace the following values:
KEY_ID
: The ID of the key that you want to restrict.ALLOWED_IP_ADDR_1
: Your allowed IP address.You can add as many IP addresses as needed; use commas to separate the addresses.
gcloud services api-keys update KEY_ID \ --allowed-ips="ALLOWED_IP_ADDR_1"
Java
To run this sample, you must install the
google-cloud-apikeys
client library.
Python
To run this sample, you must install the API Keys client library.
REST
Get the ID of the key that you want to restrict.
The ID is not the same as the display name or the key string. You can get the ID by using the keys.list method. The ID is listed in the
uid
field of the response.Replace
PROJECT_ID
with your Google Cloud project ID or name.curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://apikeys.googleapis.com/v2/projects/PROJECT_ID/locations/global/keys/"
Use the keys.patch method to add server (IP address) restrictions to an API key.
This request returns a long-running operation; you must poll the operation to know when the operation completes and get the operation status.
Replace the following values:
ALLOWED_IP_ADDR_1
: Your allowed IP address.You can add as many IP addresses as needed; use commas to separate the restrictions. You must provide all IP addresses with the request; the referrer restrictions provided replace any existing IP address restrictions on the key.
PROJECT_ID
: Your Google Cloud project ID or name.KEY_ID
: The ID of the key that you want to restrict.
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ --data '{ "restrictions" : { "serverKeyRestrictions": { "allowedIps": ["ALLOWED_IP_ADDR_1"] } } }' \ "https://apikeys.googleapis.com/v2/projects/PROJECT_ID/locations/global/keys/KEY_ID?updateMask=restrictions"
For more information about adding IP address restrictions to a key using the REST API, see Adding server restrictions in the API Keys API documentation.
Android apps
You can restrict usage of an API key to specific Android apps. You must provide the package name and the 20-byte SHA-1 certificate fingerprint for each app.
When you use the API key in a request, you must specify the package name and certificate fingerprint by using the following HTTP headers:
X-Android-Package
X-Android-Cert
To restrict your API key to one or more Android apps, use one of the following options:
Console
In the Google Cloud console, go to the Credentials page:
Click the name of the API key that you want to restrict.
In the Application restrictions section, select Android apps.
For each Android app that you want to add, click Add an item and enter the package name and SHA-1 certificate fingerprint, then click Done.
Click Save to save your changes and return to the API key list.
gcloud
Get the ID of the key that you want to restrict.
The ID is not the same as the display name or the key string. You can get the ID by using the
gcloud services api-keys list
command to list the keys in your project.Use the
gcloud services api-keys update
command to specify the Android apps that can use an API key.Replace the following values:
KEY_ID
: The ID of the key that you want to restrict.SHA1_FINGERPRINT
andPACKAGE_NAME
: The app information for an Android app that can use the key.You can add as many apps as needed; use additional
--allowed-application
flags.
gcloud services api-keys update KEY_ID \ --allowed-application=sha1_fingerprint=SHA1_FINGERPRINT_1,package_name=PACKAGE_NAME_1 \ --allowed-application=sha1_fingerprint=SHA1_FINGERPRINT_2,package_name=PACKAGE_NAME_2
Java
To run this sample, you must install the
google-cloud-apikeys
client library.
Python
To run this sample, you must install the API Keys client library.
REST
Get the ID of the key that you want to restrict.
The ID is not the same as the display name or the key string. You can get the ID by using the keys.list method. The ID is listed in the
uid
field of the response.Replace
PROJECT_ID
with your Google Cloud project ID or name.curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://apikeys.googleapis.com/v2/projects/PROJECT_ID/locations/global/keys/"
Use the keys.patch method to specify the Android apps that can use an API key.
This request returns a long-running operation; you must poll the operation to know when the operation completes and get the operation status.
Replace the following values:
SHA1_FINGERPRINT_1
and PACKAGE_NAME_1: The app information for an Android app that can use the key.You can add the information for as many apps as needed; use commas to separate the AndroidApplication objects. You must provide all applications with the request; the applications provided replace any existing allowed applications on the key.
PROJECT_ID
: Your Google Cloud project ID or name.KEY_ID
: The ID of the key that you want to restrict.
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ --data '{ "restrictions" : { "androidKeyRestrictions": { "allowedApplications": [ { "sha1Fingerprint": "SHA1_FINGERPRINT_1", "packageName": "PACKAGE_NAME_1" }, ] } } }' \ "https://apikeys.googleapis.com/v2/projects/PROJECT_ID/locations/global/keys/KEY_ID?updateMask=restrictions"
For more information about adding Android app restrictions to a key using the REST API, see Adding Android restrictions in the API Keys API documentation.
iOS apps
You can restrict usage of an API key to specific iOS apps by providing the bundle ID of each app.
When you use the API key in a request, you must specify the bundle ID by using
the X-Ios-Bundle-Identifier
HTTP header.
To restrict your API key to one or more iOS apps, use one of the following options:
Console
In the Google Cloud console, go to the Credentials page:
Click the name of the API key that you want to restrict.
In the Application restrictions section, select iOS apps.
For each iOS app that you want to add, click Add an item and enter the bundle ID, then click Done.
Click Save to save your changes and return to the API key list.
gcloud
Get the ID of the key that you want to restrict.
The ID is not the same as the display name or the key string. You can get the ID by using the
gcloud services api-keys list
command to list the keys in your project.Use the
gcloud services api-keys update
method to specify the iOS apps that can use the key.Replace the following values:
KEY_ID
: The ID of the key that you want to restrict.ALLOWED_BUNDLE_ID
: The bundle ID of an iOS app that you want to be able to use this API key.You can add as many bundle IDs as needed; use commas to separate the IDs.
gcloud services api-keys update KEY_ID \ --allowed-bundle-ids=ALLOWED_BUNDLE_ID_1,ALLOWED_BUNDLE_ID_2
Java
To run this sample, you must install the
google-cloud-apikeys
client library.
Python
To run this sample, you must install the API Keys client library.
REST
Get the ID of the key that you want to restrict.
The ID is not the same as the display name or the key string. You can get the ID by using the keys.list method. The ID is listed in the
uid
field of the response.Replace
PROJECT_ID
with your Google Cloud project ID or name.curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://apikeys.googleapis.com/v2/projects/PROJECT_ID/locations/global/keys/"
Use the keys.patch method to specify the iOS apps that can use an API key.
This request returns a long-running operation; you must poll the operation to know when the operation completes and get the operation status.
Replace the following values:
ALLOWED_BUNDLE_ID
: The bundle ID of an iOS app that can use the key.You can add the information for as many apps as needed; use commas to separate the bundle IDs. You must provide all bundle IDs with the request; the bundle IDs provided replace any existing allowed applications on the key.
PROJECT_ID
: Your Google Cloud project ID or name.KEY_ID
: The ID of the key that you want to restrict.
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ --data '{ "restrictions" : { "iosKeyRestrictions": { "allowedBundleIds": ["ALLOWED_BUNDLE_ID_1","ALLOWED_BUNDLE_ID_2"] } } }' \ "https://apikeys.googleapis.com/v2/projects/PROJECT_ID/locations/global/keys/KEY_ID?updateMask=restrictions"
For more information about adding iOS app restrictions to a key using the REST API, see Adding iOS restrictions in the API Keys API documentation.
Add API restrictions
API restrictions specify which APIs can be called using the API key.
To add API restrictions, use one of the following options:
Console
In the Google Cloud console, go to the Credentials page:
Click the name of the API key that you want to restrict.
In the API restrictions section, click Restrict key.
Select all APIs that your API key will be used to access.
Click Save to save your changes and return to the API key list.
gcloud
Get the ID of the key that you want to restrict.
The ID is not the same as the display name or the key string. You can get the ID by using the
gcloud services api-keys list
command to list the keys in your project.Use the
gcloud services api-keys update
command to specify which services an API key can be used to authenticate to.Replace the following values:
KEY_ID
: The ID of the key that you want to restrict.SERVICE_1
,SERVICE_2
...: The service names of the APIs that the key can be used to access.You must provide all service names with the update command; the service names provided replace any existing services on the key.
You can find the service name by searching for the API on the API dashboard. Service names are strings like
bigquery.googleapis.com
.gcloud services api-keys update KEY_ID \ --api-target=service=SERVICE_1 --api-target=service=SERVICE_2
Java
To run this sample, you must install the
google-cloud-apikeys
client library.
Python
To run this sample, you must install the API Keys client library.
REST
Get the ID of the key that you want to restrict.
The ID is not the same as the display name or the key string. You can get the ID by using the keys.list method. The ID is listed in the
uid
field of the response.Replace
PROJECT_ID
with your Google Cloud project ID or name.curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://apikeys.googleapis.com/v2/projects/PROJECT_ID/locations/global/keys/"
Use the keys.patch method to specify which services an API key can be used to authenticate to.
This request returns a long-running operation; you must poll the operation to know when the operation completes and get the operation status.
Replace the following values:
SERVICE_1
,SERVICE_2
...: The service names of the APIs that the key can be used to access.You must provide all service names with the request; the service names provided replace any existing services on the key.
You can find the service name by searching for the API on the API dashboard. Service names are strings like
bigquery.googleapis.com
.PROJECT_ID
: Your Google Cloud project ID or name.KEY_ID
: The ID of the key that you want to restrict.
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ --data '{ "restrictions" : { "apiTargets": [ { "service": "SERVICE_1" }, { "service" : "SERVICE_2" }, ] } }' \ "https://apikeys.googleapis.com/v2/projects/PROJECT_ID/locations/global/keys/KEY_ID?updateMask=restrictions"
For more information about adding API restrictions to a key using the REST API, see Adding API restrictions in the API Keys API documentation.
Get project information from a key string
You can determine which Google Cloud project an API key is associated with from its string.
Replace KEY_STRING
with the key string you need project
information for.
gcloud
You use the
gcloud services api-keys lookup
command
to get the project ID from a key string.
gcloud services api-keys lookup KEY_STRING
Java
To run this sample, you must install the
google-cloud-apikeys
client library.
Python
To run this sample, you must install the API Keys client library.
REST
You use the
lookupKey
method
to get the project ID from a key string.
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ "https://apikeys.googleapis.com/v2/keys:lookupKey?keyString=KEY_STRING"
Undelete an API key
If you delete an API key by mistake, you can undelete (restore) that key within 30 days of deleting the key. After 30 days, you cannot undelete the API key.
Console
In the Google Cloud console, go to the Credentials page:
Click Restore deleted credentials.
Find the deleted API key that you want to undelete, and click Restore.
Undeleting an API key may take a few minutes to propagate. After propagation, the undeleted API key is displayed in the API keys list.
gcloud
Get the ID of the key that you want to undelete.
The ID is not the same as the display name or the key string. You can get the ID by using the
gcloud services api-keys list --show-deleted
command to list the deleted keys in your project.Use the
gcloud services api-keys undelete
command to undelete an API key.gcloud services api-keys undelete KEY_ID
Replace the following values:
KEY_ID
: The ID of the key that you want to undelete.
REST
Get the ID of the key that you want to undelete.
The ID is not the same as the display name or the key string. You can get the ID by using the keys.list method, with the
showDeleted
query parameter set totrue
. The key ID is listed in theuid
field of the response.Replace
PROJECT_ID
with your Google Cloud project ID or name.curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://apikeys.googleapis.com/v2/projects/PROJECT_ID/locations/global/keys?showDeleted=true"
Use the undelete method to undelete the API key.
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ "https://apikeys.googleapis.com/v2/projects/PROJECT_ID/locations/global/keys/KEY_ID:undelete"
This request returns a long-running operation; you must poll the operation to know when the operation completes and get the operation status.
Replace the following values:
PROJECT_ID
: Your Google Cloud project ID or name.KEY_ID
: The ID of the key that you want to restrict.
Poll long-running operations
API Keys API methods use long-running operations. If you use the REST API to create and manage API keys, an operation object is returned from the initial method request. You use the operation name to poll the long-running operation. When the long-running request completes, polling the operation returns the data from the long-running request.
To poll a long-running API Keys API operation, you use the
operations.get
method.
Replace OPERATION_NAME
with the operation name returned
by the long-running operation. For example,
operations/akmf.p7-358517206116-cd10a88a-7740-4403-a8fd-979f3bd7fe1c
.
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ "https://apikeys.googleapis.com/v2/OPERATION_NAME"
Limits on API keys
You can create up to 300 API keys per project. This limit is a system limit, and cannot be changed using a quota increase request.
If more API keys are needed, you must use more than one project.
What's next
- Learn about best practices for keeping your API keys secure.
- Learn more about the API Keys API.