API best practices
In this we will learn and understand about the API best practices.
API keys are required for apps and projects that use the Google Maps Platform APIs and SDKs. However, API keys are project-centric credentials that serve two purposes:
- Firstly, Project Identification.
- Identify the app or the project that’s making a call to the API or SDK.
- Secondly, Project Authorization.
- Check whether the calling app has been granted access to call the API or SDK and has enabled the API or SDK in the project.
Protecting API keys
You should secure the API keys in your application for all Google Maps Platform products that your application uses. You can secure API keys by designating restrictions and by implementing best practices that are appropriate for the Google Maps Platform APIs in your application. Publicly exposing unsecured credentials can result in unintended use, which could lead to unexpected charges on your account.
The following practices describe strategies to help protect your API keys.
- Firstly, Restrict your API keys. You can best protect your API key by restricting it to specific IP addresses, referrer URLs or mobile apps, and specific APIs, as this significantly reduces the impact of a key compromise.
- Secondly, use independent API keys for different apps. This limits the scope of each key. If an API key is compromised, you can delete and revoke the impacted key without needing to update your other API keys.
- Thirdly, delete unneeded API keys.
- Fourthly, exercise caution when regenerating API keys. If the time needed to migrate your apps from the old API key to the new, regenerated API key exceeds 24 hours, the instances that are not updated will become broken as they reference the old key, which is destroyed 24 hours after regeneration.
- Then, Monitor usage of your API for anomalies. If you observe unauthorized usage, rotate your keys, and notify Google.
- After that, on apps that use Maps Web Service APIs or Static Web APIs, use the following methods to safeguard your apps and API keys:
- Do not embed API keys or signing secrets directly in the code.
- Do not store API keys or signing secrets in files inside your application’s source tree.
- Review your code before publicly releasing it.
- Lastly, on mobile apps that use Web Service APIs or Static Web APIs, consider one or more of the following techniques to further safeguard your API keys or signing secrets:
- Use a proxy server.
- Obfuscate or encrypt the API key or signing secret.
- Use CA pinning or certificate pinning to verify the server resources are valid.
Restricting API keys
API keys are credentials, and you should manage them carefully. At a minimum, follow the recommendations below to keep your keys safe, and to make sure that you have restrictions in place to reduce the impact of compromised API keys. However, you can restrict an API key by specifying an Application restriction, or one or more API restrictions.
Application restrictions limit the usage of API keys to specific sites (IP address and web site) or specific platforms. You can select at most one restriction from this category (see Google Maps Platform APIs by Platform). Next, API restrictions limit the usage of API keys to one or more Google Maps Platform APIs or SDKs. Requests to use APIs or SDKs associated with an API key will be processed. Requests to use APIs or SDKs not associated with an API key will fail. For an API key, you can specify as many API restrictions as needed.
To set an API restriction for an API key
- Firstly, go to the credentials panel.
- Secondly, select the API key that you want to restrict.
- The Restrict and rename API key page appears.
- Thirdly, under API restrictions:
- Click Restrict Key.
- Click the Select APIs drop-down and select the APIs or SDKs you want your application to access using the API key.
- Lastly, click Save.
- The restriction becomes part of the API key definition after this step. If you fail to provide the appropriate details or do not click “Save”, the API key will not be restricted.
Reference: Google Documentation