Google has begun alerting developers who are using unrestricted API keys for Google Maps Platform services — a security risk that can expose your account to unauthorized use and unexpected billing. If you’ve received a warning email from Google, it means your key is public and needs restrictions.
Why Restricting Your API Key Matters
When an API key is unrestricted, anyone who discovers it (for example, in your website’s code or a GitHub repository) can use it to make requests to Google’s APIs. Those requests are charged to your account, potentially costing hundreds or thousands of dollars in unexpected usage fees. Restricting your key ensures that only your website, app, or server can use it.
Step-by-Step: How to Secure Your Google Maps API Key
1. Go to Your Credentials Page
Visit your Google Cloud Console Credentials page and log in to your project. You’ll see all your active API keys under Credentials.
2. Identify Unrestricted Keys
Click each key and look for Application restrictions: None. Any key without restrictions is unsafe and should be updated immediately.
3. Add Restrictions Based on How You Use the Key
If your API key is used on a website:
- Choose HTTP referrers (websites) under Application restrictions.
- Add your site URLs (for example, https://examplemapsdemo.com/* or https://www.examplemapsdemo.com/*).
- Under API restrictions, select the specific APIs you use — typically the Maps JavaScript API and Places API.
If your key is used on a server or backend app:
- Choose IP addresses (web servers, cron jobs, etc.).
- Enter your server’s public IP address.
- Restrict the key to server-side APIs such as the Geocoding API.
4. Test and Disable Old Keys
After updating, test your site or app to confirm everything works. Once confirmed, disable or delete any unrestricted keys.
5. Review Regularly
Check your credentials in the Google Cloud Console at least once a month, and rotate keys every 6–12 months to maintain security.
The Risks of Ignoring API Key Restrictions
Leaving your API key unrestricted can lead to:
- Unauthorized third-party usage
- Unexpected credit card charges
- Potential account suspension for abuse
Google explicitly holds account owners responsible for all activity associated with their keys, even if the requests come from elsewhere.
Final Thoughts
If your project uses Google Maps for location data, directions, or geocoding, securing your API keys is one of the simplest and most effective ways to protect your account. Restricting by domain, IP, or app ensures that your Maps services stay functional — and your billing stays under your control.
