28

Looking at the developers guide for the Google Maps Javascript API v3 it explains first about how to obtain an API, then shows examples of including that key in the HEAD section of an HTML page e.g.

<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="initial-scale=1.0, user-scalable=no" />
<style type="text/css">
  html { height: 100% }
  body { height: 100%; margin: 0; padding: 0 }
  #map_canvas { height: 100% }
</style>
<script type="text/javascript"
    src="http://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&sensor=SET_TO_TRUE_OR_FALSE">
</script>

Is there any need to keep this key secret, given it is used for rate-limiting and suchlike? In particular I'm thinking about if I put my work onto something public such as GitHub, do I need to remove my API_KEY before committing?

Is the answer in configuring within the google API settings that the key is only valid if it the webpage the key is within has been served from a domain name that I control?

UPDATE - was using: http://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&sensor=SET_TO_TRUE_OR_FALSE" from Google tutorial linked above. Removed the api-key and all seems to work fine. Am confused about the Google tutorial telling me I need to use it though...

Durathor
  • 525
  • 1
  • 5
  • 12
  • 2
    I'd suggest you NOT send out the api key. While it's a public key, if your project takes off and gets used by hundreds/thousands of people, they'll just exhaust the allowable usage that much quicker. It's not unreasonable to say "here's the code, get your own key". – Marc B Jan 04 '12 at 16:13
  • I thought that v3 didn't use keys? – martincarlin87 Jan 04 '12 at 16:16
  • 3
    Given that if I have the HTML page on my server though and it downloads onto every clients PC to run the javascript, all anyone has to do is View Source to see the key though? So it's inherently public and available for people to use? Or am I missing something? – Durathor Jan 04 '12 at 16:18
  • 1
    @martincarlin87 that's what I'd read, but the link I've included is API3 and api-keys. Unless again I'm missing something? – Durathor Jan 04 '12 at 16:19
  • got the same issue with github pages and an opensource project that i'm trying to create other questions have suggested putting the keys in Secrets section as ENV Variables, but no article i have found has yet mentioned how to then referance that key within your html or javascript files... my question here, with the same or similar issue.. https://stackoverflow.com/questions/64761011/access-github-pages-secret-api-keys-via-javascript-or-include-in-html-mark-up – Ryan Stone Nov 10 '20 at 17:35

5 Answers5

12

V3 doesn't require a key, but there are some benefits to using one.

Note first off that this key is different than the old V2 key. It's generated from the APIs console (http://code.google.com/apis/console). You pass it the same way, with a key parameter when loading the JS.

Benefits of having a key include usage reports in the console, and a way for Google to contact you if you're going over the quota regularly. You can also purchase additional quota through the console. Finally, if you're using the Places API, it requires the use of a key.

You can set allowed referrers, so that your key can't be used by others.

Mike Jeffrey
  • 3,149
  • 1
  • 19
  • 18
  • 1
    Thanks for explaining this! If I choose to use a key, is there any need to try and keep it secure e.g. github checkins, (given that the key can be seen in the HTML HEAD anyway)? – Durathor Jan 05 '12 at 19:27
  • 2
    I'm not sure what 'good practice' is in this regards; possibly it's best to leave it out? But from a technical point of view, you can 1) assign referrers to your key, so that it can only be used from specific URLs, and 2) generate a new key and shut down your old one at any time, from the APIs console. So you have a way out, but you might leave anyone else high and dry if they've checked out your code and you later shut down the key. – Mike Jeffrey Jan 06 '12 at 22:16
  • Google now requires an API key for all requests. – Mathias Lykkegaard Lorenzen Aug 19 '21 at 11:43
9

What Frazell says is correct, when you receive your api key on the right is a 'Edit allowed referers...' link that pops up an option to allow the websites you want to show your map on, if you leave this blank you are allowing any, but if you set let's say http://yourdomain.com only that domain can display the map.

  • How does this refferer work with a native app ? What would an incoming API request look like since there is no domain ? Mobile Apps run in WebView so I think they would get a traditional domain in the request I am curious to understand is all. – landed Jun 09 '15 at 17:41
6

No secrets here. When the key is generated it is associated with your domain name, so the key will not work on someone else's site anyway. It's your and yours alone.

(I agree with Marc's comment)

Diodeus - James MacFarlane
  • 112,730
  • 33
  • 157
  • 176
2

According to http://code.google.com/apis/maps/signup.html, version 3 does not need a key. "The Google Maps Javascript API Version 2 has been officially deprecated as of May 19, 2010. Version 3 does not require an API key."

j08691
  • 204,283
  • 31
  • 260
  • 272
  • 1
    Am I looking at the wrong page then? As the page I linked has both "The Google Maps Javascript API Version 3 documented within these pages is now the official Javascript API" and "All Maps API applications should load the Maps API using an API key. Using an API key enables you to monitor your application's Maps API usage, and ensures that Google can contact you about your application if necessary" – Durathor Jan 04 '12 at 16:21
  • Hmmm, there seems to be a bit of disparity in their own docs. Also, on http://code.google.com/apis/maps/faq.html#keysystem, it says "Note: Google Maps API keys are only required when using the JavaScript Maps API V2 and the Maps API for Flash." – j08691 Jan 04 '12 at 16:30
  • Just updated my question - removed key and changed the url I now call to and all seems to be good. I'm assuming that this *is* the v3 api I'm now calling, but will do some checking to be sure! – Durathor Jan 04 '12 at 16:31
  • Both versions work without api-key. I think the version I used originally, but with an api-key on is the latest version. Thanks for your help – Durathor Jan 04 '12 at 16:38
-1

You should keep your API key private and not share it publicly, via GitHub or any other means. You can place it in a configuration file that loads the value in later and keep that file outside of GitHub, for instance.

Frazell Thomas
  • 6,031
  • 1
  • 20
  • 21
  • 7
    What's the point? When loading a website, I can easily see the key in the developer console of my browser of choice. – Jose Gómez Mar 24 '15 at 00:04
  • 1
    @JoseGómez If someone checked in the key into github, others that forked the project would be using that key by default. Granted, the calls would fail because the browser keys that only worked from certain domains. – Evan Siroky Sep 11 '15 at 01:24