Reviewing Publicly Accessible Google API Key alert emails

Google has potentially been stepping up notifications about Google API keys that are unrestricted in recent months. Cardinal support has received a few tickets about this and it made sense to add a post about these email notifications and what to do if and when you receive one. Do pay attention to these emails, which will arrive from the [email protected] address, because they can contain important information about key misuse. If one of your API keys is unrestricted and is public facing, it’s possible for another website to simply copy and use your key from the HTML source, which counts against your Google Cloud Platform billing totals.

For example, if you see a URL in the email that you don’t recognize, you’ll want to take steps to immediately restrict your API key/s. It’s strongly recommended to restrict your front-end keys either way.

Screenshot example of a Google Cloud Platform email notification about suspicious activity detected for a Google Maps API key

As a reminder, Cardinal Store Locator requires two Google Maps API keys as pictured below.

Screenshot highlighting the two Google Maps API key settings available with the Cardinal Store Locator for WordPress plugin
  • A front-end key that is publicly exposed and used to display maps on the front-end of the website and geocode user input addresses and zip codes.
  • A back-end key that is not publicly exposed and cannot have any restrictions. There is more explanation of why this is needed in this post. This key is used for back-end geocoding requests when a location is added or updated.

To restrict and secure your front-end Google Maps API key it’s strongly recommended to enable referrer restrictions. To do that you must first login to your Google Cloud Console account and then take the following steps:

Make sure your project is selected on the left-hand side of the top toolbar as pictured:

Screenshot displaying the top toolbar of the Google Cloud Console account

From the navigation menu, opened by clicking on the hamburger icon on the very left, go to APIs & Services > Credentials.

Screenshot displaying how to open the credentials section within the Google Cloud Console project

The API keys associated with the project will display under the API Keys section. Determine which key is the front-end key by clicking the SHOW KEY link on the right-hand side of the section and compare to the value used in the Cardinal Store Locator front-end key setting (assuming you’ve already set one up and have saved it). If they key is unrestricted you’ll see an orange caution icon next to the name of the key like the one below.

Screenshot displaying how an unrestricted API key displays in the Google Cloud console

Click on the key name to open the settings for the key and under the “Set an application restriction” section select “Websites” from the list of options. Next, under the “Website restrictions” click the ADD button to add the website URL of the website you’re using the API/Cardinal Plugin on. It’s recommended to use the asterisk character as a wildcard to cover all paths on the domain that you’re working on. For example, *.cardinalwp.com/*. If you run into issues you can also add the domain in a more normal format such as https://cardinalwp.com. Note, it doesn’t hurt to just add multiple variations of your domain in this section.

Screenshot displaying how to implement website referrer restrictions for the Google Maps API key in the Google Cloud Console account

In the last “Selected APIs” section of the screen it’s recommended to select the “Restrict key” option with the following APIs:

  • Maps JavaScript API
  • Geocoding API
  • Directions API
  • Places API

After these settings have been set, click the SAVE button at the very bottom of the screen and note that as stated, it can take up to 5 minutes for the settings to take effect.

If you’re working on project that is in development and has an unrestricted API key, make sure not to push the key to a public code repository. GitHub should notify you if this occurs but other services probably don’t offer that feature. If your unrestricted key does get published to the web and you want to keep it unrestricted, such as using it only for back-end requests, you’ll want to rotate the key – delete it and get a new one.