If an API requires an API key, then users of your API must enable it in their own Cloud projects before they can call it. This page shows you how to control who can enable your API.
By default, a Google Cloud Endpoints service is private to the project that it was created in. Only the Cloud project members can see it in the APIs list on the Endpoints dashboard. Additionally, only keys from that same project can be used for those API methods that require a key. When you grant someone who is not a project member access to your API, they can enable your service in their own project and generate an API key, if one is needed.
Cloud Endpoints uses the Google Cloud Identity and Access Management (IAM) Service Consumer role to allow someone who is not a member of your Cloud project to enable your API in their own Cloud project. (In previous versions of Cloud Endpoints, the "Share an API" feature did not use IAM.) You can grant access using the GCP Console or the command line.
You revoke access to your API by removing the IAM Service Consumer role from a user or group that previously had the role. After you revoke someone's access, they will no longer be able to find and enable your API.
Important: If someone has already activated your API, revoking access will not prevent them from calling your API. Although there is no easy way to to prevent these calls post-activation, you could restrict access by API key and then add logic that disallows calls from that consumer's API key.
You can revoke access using the console or the command line.