Cloud Blog – Restricting API keys when using Google Maps Platform

Restricting API keys when using Google Maps Platform

Google Maps Platform Best Practices – API Key Restrictions

Today, we’re kicking off a series of articles on Google Maps Platform best practices for businesses and organizations.

Companies worldwide invest enough time and energy into creating experiences for their users and customers. This article will show you the security tools you need to create your products where Google Maps are used. You will learn what you need to do to control and prevent any unwanted or unexpected use of the Google Maps project located in the GCP Console – Google Cloud Platform. Today’s topic:


Restricting your API keys to ensure efficient and secure use of the Google Maps Platform

All Google Maps Platform APIs and SDKs other than URLs require sending an API key with all hits. API Keys are generated in the Google Cloud Platform console and act as unique identifiers that authenticate your requests to Google Maps Platform, ensuring they are billed to the correct account. Your API keys are the primary way to verify your access to the Google Maps Platform APIs and SDKs.


Why do you need to limit your API keys?

Restricting API keys helps keep your Google Maps Platform account secure. Just like the keys to your house or car, securing the API is crucial so that it’s only used by people and in the way you intend. We strongly recommend limiting your API keys when creating them in the Google Cloud Console. If necessary, you can always change the restrictions later.


What is an API key constraint?

API key restrictions are settings applied to an API key that restrict applications from using your APIs and SDKs with that key. For example, you can specify that an API key can only be used for hits from an Android app with your app’s package name or from a geocoding API from a server with an IP address that matches the server your backend service is running on.

Treat security the same way you use different passwords for different apps. Using the same password for multiple websites means that a potentially stolen password will give an attacker access to many things. API Key Restrictions allow you to restrict what a key can be used for, minimizing your vulnerability should your key ever be compromised.


What types of API key restrictions are available?

There are two types of API key restrictions: API restrictions and application restrictions. Application restrictions restrict using an API key by a specific website, web server, or application.

The Google Maps platform supports four types of app restrictions:

HTTP referrers: these are for keys used in websites and web applications and limit usage to one or more URLs. This restriction allows you to set usage for your website’s specific domain or page.

IP Addresses: Restrict usage to one or more IP addresses and are designed to protect keys in server-side requests such as calls from web servers and cron types of tasks.

Android Application Restriction: Restricts the use of calls from an Android application with the specified package name.

iOS App Restriction: Restricts usage of calls from an iOS app with the specified bundle ID.

API limits limit the use of an API key by one or more APIs or SDKs. For example, if your mobile app only uses the Maps SDK for Android and the Places SDK for Android, you can restrict your API key to only those two SDKs. You can also set an API key to allow access to any number of APIs and SDKs, but we still strongly recommend limiting the list to only those you really need.


What are the best practices for applying API key restrictions?

Here are some simple guidelines that you can use to determine which API key restrictions you should use and how to use them in Google Maps Platform integrations:

Use a separate API key for each origin and limit each to an application limit. For example, create different API keys for the Android app and web app and restrict them to the Android app and HTTP referer app, respectively.

Apply an app limit and one or more API limits to all your API keys. This will ensure maximum security and that only those applications authorized to use the API or SDK data can use your key.

Never use the same API key for clients (mobile apps, web apps) and server apps.


How can you limit your API keys?

Restricting an API key is actually quick and easy. You can do this anytime from the Credentials tab on the APIs & Services page in the Google Cloud Platform console. But, as mentioned earlier, we recommend you apply some restrictions to each key you generate when you create it. To learn how to restrict an API key, follow the Google Maps Platform docs instructions or watch this video:


How do we distribute access to the project among different participants?

GCP uses Google accounts for authentication and access control. Your technical staff, internal developers, or external contractors must have Google Accounts to access the Google Cloud Platform. We recommend using fully managed Google Workspace (ex. G Suite) accounts linked directly to your corporate domain name or through Cloud Identity. This way, your developers, finance, and accountants can access GCP using their corporate email IDs. And your administrators can view and control accounts through the admin console while granting various access rights to the Google Maps Platform project.

Companies and developers are creating incredible things with the Google Maps Platform, and our goal at Cloudfresh is to do our best to make you successful. Restricting your API keys is one easy way to keep your account secure and limit unauthorized use in case your key is compromised.

Cloudfresh as a reseller partner, provides development and connection services to Google Cloud and Google Maps Platform in Ukraine, Poland, Central, and Eastern Europe countries, the CIS, and the Middle East. You can buy and pay for Google Cloud products by bank transfer with receipt of expenditure, accounting, and legal documents. For more information and advice, please contact our Google Cloud team of certified Product and Sales Managers and Google Maps Developers.


Other publications