An API key is a simple encrypted string that you can use when calling
Google Cloud APIs. A typical use of an API key is to pass the key into a REST
API call as a query parameter with the following format:
http://example-library.googleapis.com/v1/publishers/mypublisher/books?key=
API_KEY
API keys are useful for accessing public data anonymously, and are used to
associate API requests with the consumer Google Cloud project for
quota
and
billing
.
API Keys provides you a programmatic interface to create and manage API
keys for your project. It provides you more control over API keys
than the API key-related tasks that you can do
in the Google Cloud console
.
To learn more about authenticating to Google Cloud APIs and to determine
the best authentication strategy for common scenarios, see
Authentication overview
. To learn more about using
API keys for Google Maps Platform APIs and SDKs, see the
Google Maps Platform
documentation
.
Securing an API key
When you use API keys in your applications, ensure that they are kept secure
during both storage and transmission. Publicly exposing your credentials can
result in your account being compromised, which could lead to unexpected charges
on your account. To help keep your API keys secure, follow these best practices:
Do not embed API keys directly in code. API keys that are embedded in code
can be accidentally exposed to the public. For example, you may forget to
remove the keys from code that you share. Instead of embedding your API keys
in your applications, store them in environment variables or in files outside
of your application's source tree.
Add restrictions on the API key
.
By adding restrictions, you can reduce the impact of a compromised API key.
Delete unneeded API keys to minimize exposure to attacks.
Rotate your API keys periodically. To rotate your API keys,
call
the
CreateKey
method
. After
the replacement keys are created, update your applications to use the
newly-generated keys and delete the old keys.
Review your code before publicly releasing it. Ensure that your code does not
contain API keys or any other private information before you make your code
publicly available.
What's next