Does google maps javascript api-key (v3) need to be kept secret in HTML checked into github and if so, how?

Looking at the developers guide for the Google Maps Javascript API v3 it explains first about how to obtain an API, then shows examples of including that key in the HEAD section of an HTML page e.g.

<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="initial-scale=1.0, user-scalable=no" />
<style type="text/css">
  html { height: 100% }
  body { height: 100%; margin: 0; padding: 0 }
  #map_canvas { height: 100% }
</style>
<script type="text/javascript"
    src="http://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&sensor=SET_TO_TRUE_OR_FALSE">
</script>

Is there any need to keep this key secret, given it is used for rate-limiting and suchlike? In particular I'm thinking about if I put my work onto something public such as GitHub, do I need to remove my API_KEY before committing?

Is the answer in configuring within the google API settings that the key is only valid if it the webpage the key is within has been served from a domain name that I control?

UPDATE - was using: http://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&sensor=SET_TO_TRUE_OR_FALSE" from Google tutorial linked above. Removed the api-key and all seems to work fine. Am confused about the Google tutorial telling me I need to use it though...

Answers


V3 doesn't require a key, but there are some benefits to using one.

Note first off that this key is different than the old V2 key. It's generated from the APIs console (http://code.google.com/apis/console). You pass it the same way, with a key parameter when loading the JS.

Benefits of having a key include usage reports in the console, and a way for Google to contact you if you're going over the quota regularly. You can also purchase additional quota through the console. Finally, if you're using the Places API, it requires the use of a key.

You can set allowed referrers, so that your key can't be used by others.


What Frazell says is correct, when you receive your api key on the right is a 'Edit allowed referers...' link that pops up an option to allow the websites you want to show your map on, if you leave this blank you are allowing any, but if you set let's say http://yourdomain.com only that domain can display the map.


No secrets here. When the key is generated it is associated with your domain name, so the key will not work on someone else's site anyway. It's your and yours alone.

(I agree with Marc's comment)


According to http://code.google.com/apis/maps/signup.html, version 3 does not need a key. "The Google Maps Javascript API Version 2 has been officially deprecated as of May 19, 2010. Version 3 does not require an API key."


You should keep your API key private and not share it publicly, via GitHub or any other means. You can place it in a configuration file that loads the value in later and keep that file outside of GitHub, for instance.


Need Your Help

Location Services not working in iOS 8

objective-c ios8 location cllocationmanager

My app that worked fine on iOS&nbsp;7 doesn't work with the iOS&nbsp;8 SDK.