API Key Best Practices

API keys are required for apps and projects that use the Google Maps Platform APIs and SDKs. This document identifies the intended use of API keys, how to protect them as you would other credentials, and which restrictions are appropriate for your projects.

What are API keys?

API keys are project-centric credentials that serve two purposes:

  • Project Identification.
    Identify the app or the project that's making a call to the API or SDK.
  • Project Authorization.
    Check whether the calling app has been granted access to call the API or SDK and has enabled the API or SDK in the project.

When an API key is created, it is associated with a project. By identifying the calling project, an API key enables usage information to be associated with that project, and helps ensure calls from other projects are rejected.

Protecting API keys

You should secure the API keys in your application for all Google Maps Platform products that your application uses. You can secure API keys by designating restrictions and by implementing best practices that are appropriate for the Google Maps Platform APIs in your application. Publicly exposing unsecured credentials can result in unintended use, which could lead to unexpected charges on your account.

The following practices describe strategies to help protect your API keys. The applicable practices for an individual Google Maps Platform product, such as Maps JavaScript API, are listed in the API key restrictions and best practices section.