0

I am developing an application with Google plus. Hence I need an API key. I have generated the key in API console. Now using that key I am going to access some data from Google+ using JavaScript in JSON. But in this method my API key will be publicly visible. Is it OK to share it?

Some information I got from here https://developers.google.com/console/help/#UsingKeys

Chris Morgan
  • 86,207
  • 24
  • 208
  • 215
Hari Das
  • 10,145
  • 7
  • 62
  • 59

1 Answers1

7

Having API Keys public for client-side applications can't be avoided. To make sure no other people can (ab)use your API Key you can limit your API Key in the API console, so that it can only be used from your own domain, by defining "allowed referers"

Scarygami
  • 15,009
  • 2
  • 35
  • 24
  • But how they can abuse my API key as Google + has mentioned that the API can not be used for authentication purpose. – Hari Das Jul 12 '13 at 17:00
  • 2
    You specify the exact domains to be "whitelisted" for your API key. You don't specify wildcard matches. If you need multiple domains, you specify one per line. So if you would specify http://example.blogspot.com as the allowed domain. If you had a SSL version of your site, you'd additionally need to specify https://example.blogspot.com because that is not technically the same origin as the other because they have different ports. – BrettJ Jul 15 '13 at 05:00
  • I was wondering about this. It is possible to spoof your referer header from your own domain and by that way it would then be possible to use the API Key from someone else on your own domain? – Hugo Cox Sep 20 '17 at 14:15