Cloud Blog – Restricting API keys when using Google Maps Platform
Google Maps

Restricting API keys when using Google Maps Platform

Google Maps Platform Best Practices – API Key Restrictions


Today, we’re kicking off a series of articles on Google Maps Platform best practices for businesses and organizations.

Companies worldwide invest enough time and energy to create user and customer experiences. This article will show you the security tools you need to make your products using Google Maps. You will learn what you must do to control and prevent any unwanted or unexpected use of the Google Maps project in the GCP Console – Google Cloud Platform. Today’s topic:


Restricting your API keys to ensure efficient and secure use of the Google Maps Platform

All Google Maps Platform APIs and SDKs other than URLs require sending an API key with all hits. API Keys are generated in the Google Cloud Platform console and act as unique identifiers that authenticate your requests to the Google Maps Platform, ensuring they are billed to the correct account. Your API keys are the primary way to verify your access to the Google Maps Platform APIs and SDKs.


Why do you need to limit your API keys?

Restricting API keys helps keep your Google Maps Platform account secure. Like the keys to your house or car, securing the API is crucial so that it’s only used by people and in the way you intend. We strongly recommend limiting your API keys when creating them in the Google Cloud Console. If necessary, you can always change the google maps api restrictions later.


What is an API key constraint?

API key restrictions are settings applied to an API key that restrict applications from using your APIs and SDKs with that key. For example, you can specify that an API key can only be used for hits from an Android app with your app’s package name or a geocoding API from a server with an IP address that matches the server your backend service is running on.

Treat security the same way; you use different passwords for different apps. Using the same password for multiple websites means a potentially stolen password will give an attacker access to many things. API Key Restrictions allow you to restrict what a key can be used for, minimizing your vulnerability should your key ever be compromised.


What types of API key restrictions are available?

There are two types of API key restrictions: API restrictions and application restrictions. Application restrictions restrict using an API key by a specific website, web server, or application.

The Google Maps platform supports four types of app restrictions:

HTTP referrers are for keys used in websites and web applications and limit usage to one or more URLs. This restriction allows you to set usage for your website’s specific domain or page.

IP Addresses: Restrict usage to one or more IP addresses and are designed to protect keys in server-side requests such as calls from web servers and cron types of tasks.

Android Application Restriction: Restricts the use of calls from an Android application with the specified package name.

iOS App Restriction: Restricts call usage from an iOS app with the specified bundle ID.

API limit the use of an API key by one or more APIs or SDKs. For example, if your mobile app only uses the Maps SDK for Android and the Places SDK for Android, you can restrict your API key to only those two SDKs. You can also set an API key to allow access to any number of APIs and SDKs, but we still strongly recommend limiting the list to only those you need.


What are the best practices for applying Google API key restrictions?

Here are some simple guidelines that you can use to determine which API key restrictions you should use and how to use them in Google Maps Platform integrations:

Use a separate API key for each origin and limit each to an application limit. For example, create different API keys for the Android and web apps and restrict them to the Android app and HTTP referrer apps, respectively.

Apply an app limit and one or more API limits to all your API keys. This will ensure maximum security and that only those applications authorized to use the API or SDK data can use your key.

Never use the same API key for clients (mobile apps, web apps) and server apps.


How can you limit your API keys?

Restricting an API key is quick and easy. You can do this anytime from the Credentials tab on the APIs & Services page in the Google Cloud Platform console. But, as mentioned earlier, we recommend you apply some restrictions to each key you generate when you create it. To learn how to restrict an API key, follow the Google Maps Platform docs instructions or watch this video:


How do we distribute access to the project among different participants?

GCP uses Google accounts for authentication and access control. Your technical staff, internal developers, or external contractors must have Google Accounts to access the Google Cloud Platform. We recommend using fully managed Google Workspace (ex. G Suite) accounts linked directly to your corporate domain name or through Cloud Identity. This way, your developers, finance, and accountants can access GCP using their corporate email IDs. And your administrators can view and control accounts through the admin console while granting various access rights to the Google Maps Platform project.

Are you in the process of enhancing your API ecosystem and wondering about the capabilities of Apigee? Our article provides a comprehensive overview, explaining what is Apigee and how it can amplify your API management efforts. Take a deep dive into this must-know information to stay ahead in the digital landscape.

Companies and developers are creating incredible things with the Google Maps Platform, and our goal at Cloudfresh is to do our best to make you successful. Restricting your API keys is one easy way to keep your account secure and limit unauthorized use if your key is compromised.

Ask us for help with getting your Google Maps API for business.

Cloudfresh, as a certified partner, provides Google Maps integration, development and connection services to Google Cloud and Google Maps Platform.

What do we offer?

  • Google Maps Platform-based development services;
  • Technical teams’ training;
  • Consultations and API integration;
  • Technical support.

By cooperating with us, you will receive the following:

  • Access to a seven-level discount system, which is possible only with a Google Maps partner;
  • Payment by invoice in EUR, USD, CZK, PLN, UAH, or any other currency;
  • Professional support throughout the journey with a solution.

Contact our team and take your customers’ location-based experience to the next level with Google Maps solutions.