CODEWITHSUNDEEP
google-mapsgoogle-maps-api-3google-apigoogle-maps-android-api-2api-key
zeus
zeus

Reputation: 13345

How to secure my api key?

I want to use from my android/ios app the autocomplete api. For this I need to call url like:

https://maps.googleapis.com/maps/api/place/autocomplete/json?input=paris&key=<myapikey>

the problem is: What can make that someone else will not extract from my app my api key and use it for his own purpose ? It's important because at the end it's me who will be billed by google for the usage ...

Upvotes: 5

Views: 1307

Answers (2)

Mahdi
Mahdi

Reputation: 29

What if you create and intermediate server and create a token for each single user, and also create a monitoring service which block suspicious behavior?

for example, a normal user would request x times/per day || hour || ...

Or when a user runs application for the first time, application receives the [encrypted api + decryption key] and store them to a safe place like keychain(for iOS)

As I know, if you request directly to google-map-api there is always a way to sniffing packets.

Upvotes: 0

xomena
xomena

Reputation: 32138

Your intention is to call a Places API web service. Google Maps web services support only IP address restrictions.

You can check what type of restriction is supported by each API on the following page:

https://developers.google.com/maps/faq#keysystem

In order to protect an API key that is used with your sample request you should create an intermediate server and send your requests from this server. So your application should send request to intermediate server, intermediate server should send Places autocomplete request with protected API key to Google and pass response back to your app. In this case you can use an IP address of your intermediate server to protect unauthorized access with your API key.

I hope this helps!

Upvotes: 1

Related Questions