4

My android and iOS application was using same unrestricted (platform and service) api key for geocode distance matrix places services. I want to use separate restricted keys for separate service and platform. In google cloud console, how can I restrict my keys for different platforms? should I use and android giving package name and sha1 and iOS with bundle ID or should I use IP address of my server? what should be the best practice? I am using retrofit to hit these apis.

sometime keys are responding with this IP, site or mobile application is not authorized to use this API key. Request received from IP address 202.65.11.56, with empty referer and again after somethime it is responding with proper response. why is such abnormality happening?

I am also searching places using places autocomplete sdk and for getting geometry I am calling geocode using place_id, should I give places api permission in geocode api key for this?

Mihodi Lushan
  • 670
  • 5
  • 24
  • 1
    I woul suggest reading https://developers.google.com/maps/faq#keysystem – xomena Jul 02 '19 at 21:52
  • @xomena I have read nd understood that I need to change the restriction to Server IP from android or iOS. Now my question is in this case how can I directly call geocode or direction api using server ip restricted api key? do I need to call from my server and retrieve response from server if I want to use restricted keys? because directly from android the ip will not be always same. and If i call from my server, the performance will vary depending on my server performance right? – Mihodi Lushan Jul 04 '19 at 06:19
  • 1
    https://stackoverflow.com/a/46185362/5339146 also checked this answer and concerned about the performance – Mihodi Lushan Jul 04 '19 at 06:25
  • 1
    Yep Google suggest using intermediate server if you want restrict an API key. – xomena Jul 04 '19 at 21:39

2 Answers2

2

For all the Google Api usages you are making, you can use a single ApiKey and restrict it. Restrict it based on your platform and use this key in the respective platforms. SInce you have mentioned that you will be using in Mobile Applications(Android & iOS), here are the steps.

Go to Google Cloud Console

Create a project > Go to APIs & Services > Credentials > Create Credential

Then restrict the key like this -

  1. For Android, add your Package name & SHA-1 certificate here

enter image description here

  1. For iOS, add your Bundle Id here

enter image description here

Now use the APIKey in android & iOS platform. This is the best way to restrict your Google API Key.

Hope it helps!

Anupam
  • 2,845
  • 2
  • 16
  • 30
  • as i am calling rest api using android and geocode doesn't have sdk, how do google understand wheather I am calling from android or iOS or postman? just asking this from curiosity. and even after giving ios bundle id, it was not working what can be the issue? and do I need places api access in geocode to fetch place geometry from places autocomplete's place id? @zachary . – Mihodi Lushan Jul 01 '19 at 18:47
  • I am still getting `This IP, site or mobile application is not authorized to use this API key. Request received from IP address 202.65.11.56, with empty referer` in geocode and direction when restricting android platform with package name and sha1 – Mihodi Lushan Jul 02 '19 at 10:50
  • 1
    Checking the issue – Anupam Jul 02 '19 at 11:04
  • 1
    Found out that in your case, you need to use server key. Restricting will not help. Not Android or iOS restricted one. Please try. – Anupam Jul 02 '19 at 13:34
  • 1
    For iOS, if you are using a restricted key, you have to add `X-Ios-Bundle-Identifier` header with the bundle you restricted the key to. With that header, it works also from Postman. – Cyril Cermak Mar 16 '22 at 13:07
1

You are most likely using a web service with your API key that is restricted for Android/iOS Apps.

Due to the Mobile App restrictions, it can only be used for the Maps Android/iOS SDKs, and not any web service or JavaScript API.

What I recommend doing is identifying which web service is giving this error (probably Geocoding API, please double-check), and creating a separate API key with IP-address restrictions (not Android/iOS App), so that it can be used for the web service.

Waren
  • 335
  • 2
  • 9
  • can you please explain a bit more about how should I call the api then? directly from android using retrofit? If yes, how do google understand my server IP? or do I need to call from my server? like I will call my back-end and my backend server will call google and return me the response? what is the best practice for using a geocode restricted api key safely? – Mihodi Lushan Jul 04 '19 at 05:32
  • 1
    Since the error points your public server IP as 202.65.11.56 then that is what you should authorize in your IP address restrictions, but it is always good to check from your side where the requests are ultimately coming from. Also the web services are http requests so anything with the capability to send an HTTP request will do. – Waren Jul 05 '19 at 04:35
  • 1
    Additionaly, here is the API key best practices doc : https://developers.google.com/maps/api-key-best-practices#restrict_apikey – Waren Jul 05 '19 at 04:39