Google maps api key in html/javascript

Question

I want to embed a google javascript map to my web site.

In the docs at: https://developers.google.com/maps/documentation/javascript/tutorial

It says that I should load the scripts using my api key in the url:

<script src="https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap"
async defer></script>

Doesn't this mean that anyone can get my key? All of my other google api keys, are server side, and are not in my source control. It seems here that this key is exposed - which makes me a bit uneasy.

I feel like I'm missing something, is there a reasonable way to hide this key - or is it meant to be that public, and if so, how do I prevent abuse.

I think the question has been answered here https://stackoverflow.com/questions/39625587/how-do-i-securely-use-google-api-keys — Kasinaat 007, May 21 '18 at 13:30

score 2 · Answer 1 · answered May 21 '18 at 13:32

When you create your key in the Google API Console and choose the set up credentials for the Maps JavaScript API, the wizard will instruct you how to secure the key, and will prompt you for URLs you wish to authorize.

For more info refer here : How do I securely use Google API Keys

score -3 · Answer 2 · answered May 21 '18 at 13:32

-3

If I remember you should have a public and a private key. You can expose your public key (if combo exists, whatever the service) and restrict it use using HTTP referrer into your google api console. It means that your key will only work with the domain you provided.

Hope it will answer your question.

answered May 21 '18 at 13:32

Jean-Philippe R

1

1

OP is talking about API key, not public and private key. – Hunter May 21 '20 at 22:11

Google maps api key in html/javascript

2 Answers2