Protecting YouTube v3 API key in a client-side application

Question

I'm looking at the following guide: https://developers.google.com/youtube/v3/getting-started

The first step of interacting with YouTube's API is:

You need a Google Account to access the Google Developers Console, request an API key, and register your application.

And they continue on to show an example where they use the key:

URL: https://www.googleapis.com/youtube/v3/videos?id=7lCDEYXw3mM&key=YOUR_API_KEY &part=snippet,contentDetails,statistics,status

I have a client-side application which is used by many people. The application issues search requests to YouTube's API. YouTube's API has a request limit of 50 million requests per day.

Since it's a client-side application, my API key is embedded into the code.

Today, a malicious user scripted something to max out the requests:

I'm wondering what recourse I have to be able to defend against this sort of activity. Is my only option to host a server, route all needs for YouTube's API through my server, and deny requests when they come too frequently?

I have real concerns about implementing something like that. It would effectively double the wait time for every API request and also tax the server a seemingly unnecessary amount, but perhaps it is needed.

Do I have any other options available to me?

Thanks

Answer 1

That is correct. When you make your key make sure you use the REFERERS so that even if they do get your key it will not work for them!

Answer 2

This was due to a quota cost increase, it's temporarily reverted. We'll announce cost changes in http://apiblog.youtube.com/ and https://developers.google.com/youtube/v3/revision_history going forward.

Answer 3

We also see this error, it seems to be too large deviations. results Overview is 813.844, but the APIs are Used 49,379,348 of 50,000,000 requests today

Answer 4

It appears to be a major bug. Same problem here - quota usage spiked like crazy starting on Sept. 3 and requests now cost WAY more than the documentation states.

Someone reported it as a defect in their bug tracking system. I suggest everyone affected go there and star the defect to help call attention to it:

• https://code.google.com/p/gdata-issues/issues/detail?id=6623&q=label%3AAPI-YouTube&sort=-id&colspec=API%20ID%20Type%20Status%20Priority%20Stars%20Summary

Answer 5

Don't think it is a malicious user. I think something's wrong on YouTube's side, since I'm seeing exactly the same issue with API requests made from my app

Answer 6

You can use restriction to secure your API Key.

Use the REFERERS attribute of the public API key. Go to your project in console developers -> API&Auth -> Credentials

• If you use Key for browser applications, REFERERS is a reference to a domain.
• If you use Server key, REFERERS is a reference to a IP. (ip of your server for example)

For example, if you use github.io to make live demo of an application, REFERERS will point on http://user.github.io/*

You can read more register your application

• Use a server key if your application runs on a server. Do not use this key outside of your server code. For example, do not embed it in a web page. To prevent quota theft, restrict your key so that requests are only allowed from your servers' source IP addresses.

• Use a browser key if your application runs on a client, such as a web browser. To prevent your key from being used on unauthorized sites, only allow referrals from domains you administer.

A screen to help you :

Answer 7

I propose the following ideas:

• You can make sure the user accessing your page is a human (with Captcha, etc.)
• Hide your API call behind an AJAX call that is triggered by your front-end (like GET /callgoogleapi);
• The handler of AJAX call can set a frequency threshold, i.e. 2 requests per second. If too fast, the API call is not made, and AJAX replies a message like "User operation too fast".