How to restrict a Google API key to a single service?

Question

I've made a project in Google API Console. The project uses 2 services: YouTube Data API and Google Maps JavaScript API. The first service is server-to-server so an API key is not exposed. The second service is client-to-server so an API key is exposed (sent to browser in an HTML code). If I use the same key both for the Maps API and the YouTube API, a user can take the key and use it to interact with YouTube behalf me (this is a problem).

A solution is to use separate keys for the APIs. How can I get an API key which is allowed to use with the Maps API but not allowed to use with the YouTube API?

Answer 1

These are the key restrictions that Google API currently offers:

None
HTTP referrers (web sites)
IP addresses (web servers, cron jobs, etc.)
Android apps
iOS apps

To prevent unauthorized use and quota theft, restrict your key. Key restriction lets you specify which web sites, IP addresses, or apps can use this key. Learn more at : https://support.google.com/googleapi/answer/6310037?hl=en

So you can setup your key so that it can be used from only your domain (by setting HTTP referrers to your web page) or IP address. Best practices at the link mentioned above.

Answer 2

Make two projects in Google API Console:

1. A project with server-to-server APIs enabled (YouTube API). The project API key is used only on the server and not exposed.
2. A project with client-to-server APIs enabled (Google Maps API). The project API key is exposed but can't be used to access YouTube because the YouTube API is not enabled in the project.