How to use an api key for a public request in Google Authentication?

Question

When I create an api key, there is an option like this:

To make this key becomes private, I'd entered localhost:44397.

But the problem is: the request which will use the key doesn't start with localhost:44397.

It looks like:

https://www.googleapis.com/plus/v1/people/{userId}?fields=image&key={api_key}

So, I cannot use the key for this request.

Another option: if I select None for Key restriction, that means the key is public. That's not my goal.

My question: How can I use this key as a private key?

Thank you!

Answer 1

The optional "Accept requests from these HTTP referrers" is a "whitelist" of the HTTP referers that the Google API will accept requests from. So, if you wanted only your site to be able to make requests using your API key you would add your website there, as shown *.mysite.com/* would mean Google would accept any request that originated from the mysite.com domain or subdomain.

The API key you need to include as part of your request to the Google API is considered public. People would see it in the URL that is the image source (I am making an assumption here on how you use it).

So you want to restrict how your public key is used by saying it can only be used in conjunction with requests that originate from a specific domain.

But can't the referer be spoofed? There is a very good Q/A here on the topic: How does Google Maps secure their API Key? How to make something similar?