API Key Best Practices

As you develop apps that use Google Maps, you will encounter API keys. This document identifies the intended use of API keys, how to protect them as you would other credentials, and which restrictions are appropriate for your projects.

What are API keys?

API keys are project-centric credentials that serve two purposes:

  • Project Identification.
    Identify the app or the project that's making a call to this API.
  • Project Authorization.
    Check whether the calling app has been granted access to call the API and has enabled the API in the project.

When an API key is created, it is associated with a project. By identifying the calling project, an API key enables usage information to be associated with that project, and the key allows Google Maps Platform APIs to reject calls from other projects.

Protecting API keys

You should secure the API keys in your application for all Maps Platform products that your application uses. You can secure API keys by designating restrictions and by implementing best practices that are appropriate for the Google Maps Platform APIs in your application. Publicly exposing unsecured credentials can result in unintended use, which could lead to unexpected charges on your account.

The following practices describe strategies to help protect your API keys. The applicable practices for an individual Google Maps Platform product, such as Maps JavaScript API, are listed in the API key restrictions associated with Google Maps Platform products section.

Send feedback about...

Google Maps Platform
Google Maps Platform