API keys are required for apps and projects that use the Google Maps Platform APIs and SDKs. For maximum security and minimal effort, secure your API keys when you create them. Show
While it is possible to secure API keys after they're created and in use, there can be different constraints based on how the key is used. Updating or replacing keys in mobile apps (Android and iOS) are the most complicated, since the keys won't all be replaced until all customers update their apps. Updating or replacing keys in JavaScript or Web Service apps are much more straightforward, but updating or replacing these keys still may require careful planning and fast work. Security practices applicable to the individual Google Maps Platform product, such as Maps JavaScript API, are listed in the More information section. Restricting your API keysWhen you first create your API keys, restrict them with an application restriction, and one or more API restrictions.
If you did not secure your API key when you created it, create additional API keys and restrict them, then update all of your apps with the new API keys. While one key per application would be ideal for security purposes, you can use restricted keys on multiple apps as long as the types of app restrictions on the key would not cause incompatibility issues with the apps that share a key. If you’re restricting API keys after they’ve been created, check the API key usage to make sure that the restrictions won’t break any of your existing apps.
Setting an application restriction for an API key
Setting an API restriction for an API key
Deleting unused API keysCaution: Confirm that your API key is unused before deleting.Before you delete an API key, make sure that it is not used in production. If there is no successful traffic, the key is likely safe to delete. To delete an API key:
Other ways to secure your APIsBe careful when regenerating API keysCaution: Confirm that you know where the API key is used before regenerating it.Regenerating an API key creates a new key that has all the old key’s restrictions. This also starts a 24-hour timer to deactivate the old API key. During this time window, both the old and new key are accepted, giving you a chance to migrate your apps to use the new key. However, any apps still using the old API key will stop working after this period elapses. Note: If necessary, any key that has been regenerated can be rolled back to its previous version, and there are no time limits for roll-back.
Upon rolling back, the former "new" version of the key becomes the previous version, and a new 24-hour deactivation timer is set for it. It is possible to revert between these two key values until you regenerate the key again. This second regeneration overwrites the old inactive key value. Monitoring your API usageTo check your API key usage:
If you detect unauthorized usage, do the following: Using separate API keys for each appThis limits the scope of each key. If an API key is compromised, you can delete or regenerate the impacted key without needing to update your other API keys. Migrating to multiple API keysTo migrate from using one API key for multiple apps, to a single unique API key for each app, do the following:
Maps Web Service APIs or Static Web APIs app protection methods
Web Service APIs or Static Web APIs mobile app protection methodsThese tables list the appropriate API key restrictions and API security best practices for each Google Maps Platform API, SDK or service. Websites with Maps JavaScript, Embed or Static APIs
Apps and servers using web servicesAndroid appsiOS apps1 You may use an unrestricted API key with any Google Maps Platform API or SDK. However, we strongly recommend that you restrict your API keys, especially in following scenarios:
2 For mobile applications, consider using the native Maps SDK for Android and Maps SDK for iOS. 3 For the Maps Static API and Street View Static API, in addition to an API key, you need to provide a digital signature to exceed the daily quota of 25,000 map loads. Note: Request signing secrets require at least the same level of security as API keys used with Maps Web Service APIs. If you need to sign your image requests dynamically, do it server side. If your apps rely on client-side input for generating the static images, secure them using a proxy server or obfuscation.If you sign your requests, review how many unsigned requests you wish to allow per day and adjust your unsigned request quotas accordingly. 4 IP restrictions might be impractical in some scenarios, such as in mobile applications and cloud environments that rely on dynamic IP addresses. When using Maps Web Service APIs in these scenarios, secure your apps using a proxy server or obfuscation. 5 For mobile applications, consider using the native Places SDK for Android and Places SDK for iOS. |