This page describes how to use API keys to authenticate to Google Cloud APIs and services that support API keys. Show
Most Google Cloud APIs don't support API keys. Check that the API that you want to use supports API keys before using this authentication method. For information about using API keys to authenticate to Google Maps Platform, see the Google Maps Platform documentation. For more information about the API Keys API, see the API Keys API documentation. Introduction to API keysAn API key has the following components, which you use to manage and use the key: StringThe API key string is an encrypted string, for example,AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe . When you use an API key to authenticate, you always use the key's string. API keys
do not have an associated JSON file.IDThe API key ID is used by Google Cloud administrative tools to uniquely identify the key. The key ID cannot be used to authenticate. The key ID can be found in the URL of the key's edit page in the Google Cloud console. You can also get the key ID by using the Google Cloud CLI to list the keys in your project.Display nameThe display name is an optional, descriptive name for the key, which you can set when you create or
update the key.When you use an API key to authenticate to an API, the API key does not identify a principal, nor does it provide any authorization information. The API key associates the request with a Google Cloud project for billing and quota purposes. Because API keys do not identify the caller, they are often used for accessing public data or resources. Many Google Cloud APIs do not accept API keys for authentication. Review the authentication documentation for the service or API that you want to use to determine whether it supports API keys. To manage API keys, you must have the API Keys Admin role ( Create an API keyTo create an API key, use one of the following options: In the Google Cloud console, go to the Credentials page: Go to Credentials Click Create credentials, then select API key from the menu. The API key created dialog displays the string for your newly created key. You use the gcloud alpha services api-keys create command to create an API key. Replace You use the
keys.create method to create an API key. This request returns a long-running operation; you must poll the operation to get the information for the new key. Replace the following values: For more information about creating API keys using the REST API, see Creating an API key in the API Key API documentation. Copy your key string and keep it secure. Unless you're using a testing key that you intend to delete later, add application and API key restrictions. Use an API keyYou can use API keys with REST requests and with client libraries that support them. Using an API key with RESTYou can pass the API key into a REST API call as a query parameter with the following format. Replace
For example, to pass an API key for a Cloud Natural Language API request for POST https://language.googleapis.com/v1/documents:analyzeEntities?key=API_KEY Alternatively, you can use the curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "X-goog-api-key: API_KEY" \ -H "Content-Type: application/json; charset=utf-8" \ -d @request.json \ "https://translation.googleapis.com/language/translate/v2" Using an API key with client librariesWhen a service's API supports API keys, the client library for that service usually supports API keys. Check the client library documentation to see if the client creation method accepts an API key. Secure an API keyWhen you use API keys in your applications, ensure that they are kept secure during both storage and transmission. Publicly exposing your API keys can lead to unexpected charges on your account. To help keep your API keys secure, follow these best practices:
Apply API key restrictionsAPI keys are unrestricted by default. Unrestricted keys are insecure because they can be used by anyone from anywhere. For production applications, you should set both application restrictions and API restrictions. Add application restrictionsApplication restrictions specify which websites, IP addresses, or apps can use an API key. You can apply only one application restriction type at a time. Choose the restriction type based on your application type:
HTTP referrersTo restrict the websites that can use your API key, you add one or more HTTP referrer restrictions. You can substitute a wildcard character ( Port numbers can be included in HTTP referrer restrictions. If you include a port number, then only requests using that port are matched. If you do not specify a port number, then requests from any port number are matched. You can add up to 1200 HTTP referrers to an API key. The following table shows some example scenarios and browser restrictions:
To restrict your API key to specific websites, use one of the following options: In the Google Cloud console, go to the Credentials page: Go to Credentials Click the name of the API key that you want to restrict. In the Application
restrictions section, select HTTP referrers. For each restriction that you want to add, click Add an item, enter the restriction, and click Done. Click Save to save your changes and return to the API key list. Get the ID of the key that you want to restrict. The ID is not the same as the
display name or the key string. You can get the ID by using the Use the Replace the following values: You can add as many restrictions as needed; use commas to separate the restrictions. You must provide all referrer restrictions with the update command; the referrer restrictions provided replace any existing referrer restrictions on the key. Get the ID of the key that you want to restrict. The ID is not the same
as the display name or the key string. You can get the ID by using the keys.list method. The ID is listed in the Replace Use the keys.patch method to add
HTTP referrer restrictions to the API key. This request returns a long-running operation; you must poll the operation to know when the operation completes and get the operation status. Replace the following values: You can add as many restrictions as needed; use commas to separate the restrictions. You must provide all referrer
restrictions with the request; the referrer restrictions provided replace any existing referrer restrictions on the key. For more information about adding HTTP referrer restrictions to a key using the REST API, see
Adding browser restrictions in the API Key API documentation. IP AddressesYou can specify one or more IP addresses of the callers, such as a web server or cron job, that are allowed to use your API key. You can specify the IP addresses in any of the following formats:
Using To restrict your API key to specific IP addresses, use one of the following options: In the Google Cloud console, go to the Credentials page: Go to Credentials Click the name of the API key that you want to restrict. In the Application restrictions section, select IP addresses. For each IP address that you want to add, click Add an item, enter the address, and click Done. Click Save to save your changes and return to the API key list. gcloud
REST
For more information about adding IP address restrictions to a key using the REST API, see Adding server restrictions in the API Key API documentation. Android appsYou can restrict usage of an API key to specific Android apps. You must provide the package name and the 20-byte SHA-1 certificate fingerprint for each app. To restrict your API key to one or more Android apps, use one of the following options: In the Google Cloud console, go to the Credentials page: Go to Credentials Click the name of the API key that you want to restrict. In the Application restrictions section, select Android apps. For each
Android app that you want to add, click Add an item and enter the package name and SHA-1 certificate fingerprint, then click Done. Click Save to save your changes and return to the API key list. Get the ID of the key that you want to restrict. The ID is not the same as the display name or the key string. You can get the ID by using
the Use the Replace the following values: You can add as many apps as needed; use additional Get the ID of the key that you want to restrict. The ID is not the same as the display name or the key string. You can get the ID by using the
keys.list method. The ID is listed in the Replace curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://apikeys.googleapis.com/v2/projects/PROJECT_ID/locations/global/keys/" Use the keys.patch method to specify the Android apps that can use an API key. This request returns a long-running operation; you must poll the operation to know when the operation completes and get the operation status. Replace the following values:
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ --data '{ "restrictions" : { "androidKeyRestrictions": { "allowedApplications": [ { "sha1Fingerprint": "SHA1_FINGERPRINT_1", "packageName": "PACKAGE_NAME_1" }, ] } } }' \ "https://apikeys.googleapis.com/v2/projects/PROJECT_ID/locations/global/keys/KEY_ID?updateMask=restrictions" For more information about adding Android app restrictions to a key using the REST API, see Adding Android restrictions in the API Key API documentation. iOS appsYou can restrict usage of an API key to specific iOS apps by providing the bundle ID of each app. To restrict your API key to one or more iOS apps, use one of the following options: In the Google Cloud console, go to the Credentials page: Go to Credentials Click the name of the API key that you want to restrict. In the Application restrictions section, select iOS apps. For each iOS app that you want to add,
click Add an item and enter the bundle ID, then click Done. Click Save to save your changes and return to the API key list. Get the ID of the key that you want to restrict. The ID is not the same as the display name or the key string. You can get the ID by using the
Use the Replace the following values: You can add as many bundle IDs as needed; use commas to separate the IDs. Get the ID of the key that you want to restrict. The ID is not the same as the display name or the key string. You can get the ID by using the
keys.list method. The ID is listed in the Replace Use the keys.patch method to specify the iOS apps that can use an API key. This request returns a
long-running operation; you must poll the operation to know when the operation completes and get the operation status. Replace the following values: You can add the information for as many apps as needed; use commas to separate the bundle IDs. You must provide all bundle IDs with the request; the bundle IDs provided replace
any existing allowed applications on the key. For more information about adding iOS app restrictions to a key using the REST API, see Adding iOS restrictions in the API Key API documentation. Add API restrictionsAPI restrictions specify which APIs can be called using the API key. To add API restrictions, use one of the following options: In the Google Cloud console, go to the Credentials page: Go to Credentials Click the name of the API key that you want to restrict. In the API restrictions section, click Restrict key. Select all APIs that your API key will be used to access. Click Save to save your changes and return to the API key list. Get the ID of the key that you want to restrict. The ID is
not the same as the display name or the key string. You can get the ID by using the Use the Replace the following values: You must provide all service names with the update command; the service names provided replace any existing services on the key. You can find the service name by searching for the API on the API dashboard. Service names are strings like Get the ID of the key that you want to restrict. The ID is not the same as the display name or the key string. You can get the ID by using the keys.list method. The ID is listed in the Replace Use the keys.patch method to specify which services an API key can be used to authenticate to. This request returns a long-running operation; you must poll the operation to know when the operation completes and get the operation status. Replace the following values: You must provide all service names with the request; the service names provided replace any existing services on the key. You can find the service name by searching for the API on the API dashboard. Service names are strings like For more information about adding API restrictions to a key using the REST API, see Adding API restrictions in the API Key API documentation. Get project information from a key stringYou can determine which Google Cloud project an API key is associated with from its string. Replace You use the gcloud alpha services api-keys lookup command to get the project ID from a key string. You use the lookupKey method to get the project ID from a key string. Poll long-running operationsAPI Key API methods use long-running operations. If you use the REST API to create and manage API keys, an operation object is returned from the initial method request. You use the operation name to poll the long-running operation. When the long-running request completes, polling the operation returns the data from the long-running request. To poll a long-running API Key API operation, you use the Replace curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ "https://apikeys.googleapis.com/v2/OPERATION_NAME" Limits on API keysYou can create up to 300 API keys per project. This limit is a system limit, and cannot be changed using a quota increase request. If more API keys are needed, you must use more than one project. What's next
How do I find my Google App ID and secret key?Get a client ID and client secret. Open the Google API Console Credentials page.. From the project drop-down, select an existing project or create a new one.. On the Credentials page, select Create credentials, then select OAuth client ID.. Under Application type, choose Web application.. Click Create.. How do I get a Google secret key?How to get Google Client ID and Client Secret?. Go to the Google Developers Console.. Click Select a project ➝ New Project ➝ the Create button.. Enter your Project name ➝ click the Create button.. Click OAuth consent screen in the left side menu ➝ choose User Type ➝ click the Create button.. How do I get a Google App ID?Steps to create the web client ID. In Google Cloud, open the project you created earlier. ... . Click APIs & Services OAuth consent screen. ... . For User Type, select Internal.. Click Create.. For App name, add the name of your application.. Select a User support email for users to contact with questions.. Should Google client id be kept secret?The OAuth 2 specification says that the client secret should indeed be kept secret. However, if the client secret is inside of the application, then it's not secret - someone can use a debugger, disassembler, etc to view it.
|