Stay organized with collections Save and categorize content based on your preferences.
When you use API keys in your applications, ensure that they are kept secure during both storage and transmission. Publicly exposing your API keys can lead to unexpected charges on your account or unauthorized access to your data. To help keep your API keys secure, implement the following best practices.
Add API key restrictions to your keyBy adding restrictions, you can limit the ways an API key can be used, reducing the impact of a compromised API key.
For more information, see Apply API key restrictions.
Avoid using query parameters to provide your API key to Google APIsProviding your API key to APIs as a query parameter includes your API key in the URL, exposing your key to theft through URL scans. Use the x-goog-api-key HTTP header or a client library instead.
Retain only the API keys you are actively using to keep your attack surface as small as possible.
Don't include API keys in client code or commit them to code repositoriesAPI keys hardcoded in the source code or stored in a repository are open to interception or theft by bad actors. The client should pass requests to the server, which can add the credential and issue the request.
Don't use API keys bound to service accounts in productionAPI keys bound to service accounts are designed to accelerate the initial experience for developers exploring Google Cloud APIs. Don't use them in production environments. Instead, plan to migrate to more secure alternatives such as Identity and Access Management (IAM) policies and short-lived service account credentials, following least-privilege security practices.
Here's why you should migrate from using an API key bound to a service account to more secure practices as soon as possible:
API keys are sent alongside requests. This makes it more likely that the key might be exposed or logged.
API keys are bearer credentials. This means that if someone steals an API key that's bound to a service account, they can use it to authenticate as that service account and access the same resources that service account can.
API keys bound to service accounts obscure the identity of the end user in audit logs. To track the actions of individual users, make sure each user has their own set of credentials.
Monitoring API usage can help alert you to unauthorized usage. For more information, see Cloud Monitoring overview and Cloud Logging overview.
Isolate API keysProvide each team member with their own API key for each application. This can help control access, provide an audit trail, and reduce the impact of a compromised API key.
Rotate your API keys periodicallyPeriodically create new API keys, update your applications to use the new API keys, and delete the old keys.
For more information, see Rotate an API key.
Consider a more secure method of authorizing accessFor help with choosing an authentication method, see Authentication methods.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["Secure API keys by implementing best practices during storage and transmission to prevent unauthorized access or unexpected charges."],["Restrict API key usage to minimize the impact of compromised keys, using the provided resources for more information on restrictions."],["Avoid including API keys in URLs as query parameters, instead opting for the `x-goog-api-key` HTML parameter or client libraries."],["Periodically rotate API keys and delete old ones, while deleting any keys that are not in use to minimize potential exposure."],["Never include API keys directly in client code or code repositories, instead leveraging server-side logic, and implement monitoring to detect any unauthorized usage."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4