Is there any need to keep this key secret, given it is used for rate-limiting and suchlike? In particular I'm thinking about if I put my work onto something public such as GitHub, do I need to remove my API_KEY before committing?
Is the answer in configuring within the google API settings that the key is only valid if it the webpage the key is within has been served from a domain name that I control?
UPDATE - was using: http://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&sensor=SET_TO_TRUE_OR_FALSE" from Google tutorial linked above. Removed the api-key and all seems to work fine. Am confused about the Google tutorial telling me I need to use it though...
V3 doesn't require a key, but there are some benefits to using one.
Note first off that this key is different than the old V2 key. It's generated from the APIs console (http://code.google.com/apis/console). You pass it the same way, with a key parameter when loading the JS.
Benefits of having a key include usage reports in the console, and a way for Google to contact you if you're going over the quota regularly. You can also purchase additional quota through the console. Finally, if you're using the Places API, it requires the use of a key.
You can set allowed referrers, so that your key can't be used by others.
What Frazell says is correct, when you receive your api key on the right is a 'Edit allowed referers...' link that pops up an option to allow the websites you want to show your map on, if you leave this blank you are allowing any, but if you set let's say http://yourdomain.com only that domain can display the map.
No secrets here. When the key is generated it is associated with your domain name, so the key will not work on someone else's site anyway. It's your and yours alone.
(I agree with Marc's comment)
You should keep your API key private and not share it publicly, via GitHub or any other means. You can place it in a configuration file that loads the value in later and keep that file outside of GitHub, for instance.