Using API Keys

This guide shows how to create API keys, and how to set up API key restrictions, for GCP applications. To learn more about authenticating to a GCP API, see Authentication overview. For information about setting up API keys for Google Maps, see the Google Maps documentation.

API keys are a simple encrypted string that can be used when calling certain APIs that don't need to access private user data. API keys are useful in clients such as browser and mobile applications that don't have a backend server. The API key is used to track API requests associated with your project for quota and billing.

API keys have important limitations, such as:

Because of this we recommend using the standard authentication flow instead. However, there are limited cases where API keys are more appropriate. For example, if you're developing a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API. In most cases, we recommend having your application communicate to a backend server that handles authenticating to, and calling, Google Cloud Platform services.

Creating an API key

To create an API key, your account must be granted the primitive Editor role (roles/editor) on the current project. For more information, see primitive roles.

To create an API key:

  1. Navigate to the APIs & Services→Credentials panel in GCP Console.

  2. Select Create credentials, then select API key from the dropdown menu.

  3. Click the Create button. The API key created dialog box displays your newly created key.

You might want to copy your key and keep it secure. Unless you are using a testing key that you intend to delete later, add application and API key restrictions.

Using an API key

Pass the API key into a REST API call as a query parameter with the following format. Replace API_KEY with your API key,

key=API_KEY

For example, to pass an API key for a Cloud Natural Language API request for documents.analyzeEntities:

POST https://language.googleapis.com/v1/documents:analyzeEntities?key=API_KEY

Securing an API key

When you use API keys in your applications, take care to keep them secure. Publicly exposing your credentials can result in your account being compromised, which could lead to unexpected charges on your account. To help keep your API keys secure, follow these best practices:

  • Do not embed API keys directly in code. API keys that are embedded in code can be accidentally exposed to the public. For example, you may forget to remove the keys from code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree.

  • Do not store API keys in files inside your application's source tree. If you store API keys in files, keep the files outside your application's source tree to help ensure your keys do not end up in your source code control system. This is particularly important if you use a public source code management system such as GitHub.

  • Set up application and API key restrictions. By adding restrictions, you can reduce the impact of a compromised API key.

  • Delete unneeded API keys to minimize exposure to attacks.

  • Regenerate your API keys periodically. You can regenerate API keys from the Credentials page by clicking Regenerate key for each key. Then, update your applications to use the newly-generated keys. Your old keys will continue to work for 24 hours after you generate replacement keys.

  • Review your code before publicly releasing it. Ensure that your code does not contain API keys or any other private information before you make your code publicly available.

Adding restrictions to API keys

An API key is unrestricted by default. Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides.

For production applications, set both application and API restrictions.

To add API key restrictions:

  1. Navigate to the APIs & Services→Credentials panel in GCP Console.

  2. Select the name of an existing API key. The restrictions section appears at the bottom of the page.

    Add API key

Application restrictions

Application restrictions specify which web sites, IP addresses, or apps can use an API key. Add application restrictions based on your application type. You can only set one restriction type per API key.

  1. Select the Application restrictions tab in the Key restrictions section.

  2. Choose the restriction type based on your application needs. To add more than one value for any restriction, type the first value, and then press the Enter key. Repeat to add values.

    • Use None for testing purposes only.

    • Use HTTP referrers for API clients that run on a web browser, so that only the specified pages can call the API. These types of applications expose their API keys publicly, so we recommend using a service account instead. See Adding HTTP restrictions for examples.

    • Use IP addresses to limit API key access to certain IP addresses.

    • Use Android apps for Android applications. This option requires adding your package name and SHA-1 signing-certificate fingerprint.

    • Use iOS apps for iOS applications. This option requires adding at least one iOS bundle identifier to restrict API calls to specific iOS bundles.

  3. Select the Save button.

Adding HTTP restrictions

To add HTTP restrictions:

  • Input at least one restriction into the form field.

  • If your domain supports both HTTP and HTTPS, both restrictions must be added separately.

  • To add more than one value, type the first value, and then press the Enter key. Repeat to add values.

    HTTP referrer restrictions

  • You can optionally use wildcard characters (*) for the subdomain and/or path.

The following table shows example scenarios and restrictions, from most restrictive to least restrictive. We recommend using the most restrictive example that fits your use case.

Scenario Restrictions
Allow a specific URL.

Add a single restriction with an exact path. For example:

  • https://www.example.com/path
  • http://www.example.com/path/path
Allow any URL in a single subdomain or naked domain.

You must set at least two restrictions to allow an entire domain.

  1. Set a restriction for the domain, without the trailing slash. For example:
    • https://www.example.com
    • http://sub.example.com
    • http://example.com
  2. Set a second restriction for the domain that includes a wildcard for the path. For example:
    • https://www.example.com/*
    • http://sub.example.com/*
    • http://example.com/*
  3. If your domain allows both HTTP and HTTPS you must add additional restrictions separately.
Allow any subdomain URLs in a single domain.

You must set at least two restrictions.

  1. Set a restriction for the domain, with a wildcard for the subdomain, and without the trailing slash. For example:
    • https://*.example.com
  2. Set a second restriction for the domain that includes a wildcard for the path, such as:
    • https://*.example.com/*
  3. If your domain allows both HTTP and HTTPS you must add additional restrictions separately.

API restrictions

API restrictions specify which APIs can be called using the API key. All API keys that are used in production applications should use API restrictions.

To set API restrictions:

  1. Select the API restrictions tab in the Key restrictions section.

  2. Select an API name from the dropdown.

  3. Repeat the previous step for all APIs that your API key needs to call.

  4. Select the Save button.

Viewing existing API keys

Use GCP Console to view your existing API keys. After navigating to the APIs & Services→Credentials panel in GCP Console, existing API keys display underneath the API keys header.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Authentication