1

We hosts a large number of websites for clients on our bespoke CMS. They all use the same Google API Key for Google's Maps and Geocoding API.

We want to start limiting the HTTP Referrer of our Google API Key by listing all of our client domain names.

The only way we have found to do this is by editing the key on https://console.developers.google.com/apis/credentials/ and adding the domains one at a time under 'Application restrictions' options.

Preview of 'Application restrictions' options on Google API website:

enter image description here

This is not very ideal for us, as we have several hundred client domains, and we would need a developer to add these manually each time we get a new domain.

So my question; is there a way for us to add the HTTP Referrer programatically? Or is there an alternative way to limit the usage of the keys by just our client domains?

1 Answers1

1

All sharing the same API key sounds like a design mistake. For example, if one of your clients goes crazy and overuses the quota or gets banned for abuse, or anything like that, then it will bring down the API for all your clients. Have you considered having a different API key for each client?

Nick Fortescue
  • 13,530
  • 1
  • 31
  • 37
  • We have considered that, but we had the similar problem of not knowing how to automate the creation of API Keys, and also automating adding the client's domain to the `HTTP Referrer` whitelist. Can you advise a way to do that? We are open minded to other solutions. –  Dec 19 '18 at 17:24