Risk of Using Google Places API Key inside Javascript

Asked Mar 17 '16 at 15:57

Active Mar 17 '16 at 16:09

Viewed 269 times

I am currently trying to use Google Places API to add Autocomplete functionality into a Form.

I could use a Ruby Wrapper like this one:

But Autocomplete functionality seems more like a client side action closer to that one:

Problem with client side code is when trying to use a Google Places API KEY to increase the rate limit:

<script src="//maps.google.com/maps/api/js?key=XXXX&amp;v=3.13&amp;sensor=false&amp;libraries=geometry" type="text/javascript"></script>

Isn't that risky to embed an API key inside client side code, making it accessible to anybody?
Is there a way to use that client side code while protecting the API key?

edited Mar 17 '16 at 16:09

prusswan

asked Mar 17 '16 at 15:57

stefano_cdn

See this: http://stackoverflow.com/questions/8729976/does-google-maps-javascript-api-key-v3-need-to-be-kept-secret-in-html-checked – prusswan Mar 17 '16 at 16:02
You can set which http referrers the API key accepts – Duncan Tidd Mar 17 '16 at 16:05
@DuncanTidd meaning it is thus not a big deal if the key is public? – stefano_cdn Mar 17 '16 at 16:08
Basically yeah. Unless there's something that I'm not aware of :) – Duncan Tidd Mar 17 '16 at 16:09
There is no (good) way around exposing your api key for javascript API's which is why in most cases you can set the allowed domains and have a separate secret which is used on server side requests. – max Mar 17 '16 at 19:29

0 Answers0