When you use API keys in your applications, ensure that they are kept secure during both storage and transmission. Publicly exposing your API keys can lead to unexpected charges on your account or unauthorized access to your data. To help keep your API keys secure, implement the following best practices.
Add API key restrictions to your key
By adding restrictions, you can limit the ways an API key can be used, reducing the impact of a compromised API key.
For more information, see Apply API key restrictions.
Avoid using query parameters to provide your API key to Google APIs
Providing your API key to APIs as a query parameter includes your API key in the
URL, exposing your key to theft through URL scans. Use the
x-goog-api-key HTML parameter
or a client library
instead.
Delete unneeded API keys to minimize exposure to attacks
Retain only the API keys you are currently using to keep your attack surface as small as possible.
Rotate your API keys periodically
Periodically create new API keys, update your applications to use the new API keys, and delete the old keys.
For more information, see Rotate an API key.
Don't include API keys in client code or commit them to code repositories
API keys hardcoded in the source code or stored in a repository are open to interception or theft by bad actors. The client should pass requests to the server, which can add the credential and issue the request.
Implement strong monitoring and logging
Monitoring API usage can help alert you to unauthorized usage. For more information, see Cloud Monitoring overview and Cloud Logging overview.
Consider a more secure method of authorizing access
For help with choosing an authentication method, see Authentication methods.