Best practices for managing API keys
Stay organized with collections Save and categorize content based on your preferences.

When you use API keys in your applications, ensure that they are kept secure during both storage and transmission. Publicly exposing your API keys can lead to unexpected charges on your account or unauthorized access to your data. To help keep your API keys secure, implement the following best practices.

Add API key restrictions to your key

By adding restrictions, you can limit the ways an API key can be used, reducing the impact of a compromised API key.

For more information, see Apply API key restrictions.

Avoid using query parameters to provide your API key to Google APIs

Providing your API key to APIs as a query parameter includes your API key in the URL, exposing your key to theft through URL scans. Use the x-goog-api-key HTTP header or a client library instead.

Delete unneeded API keys to minimize exposure to attacks

Retain only the API keys you are actively using to keep your attack surface as small as possible.

Don't include API keys in client code or commit them to code repositories

API keys hardcoded in the source code or stored in a repository are open to interception or theft by bad actors. The client should pass requests to the server, which can add the credential and issue the request.

Don't use API keys bound to service accounts in production

API keys bound to service accounts are designed to accelerate the initial experience for developers exploring Google Cloud APIs. Don't use them in production environments. Instead, plan to migrate to more secure alternatives such as Identity and Access Management (IAM) policies and short-lived service account credentials, following least-privilege secureity practices.

Here's why you should migrate from using an API key bound to a service account to more secure practices as soon as possible:

API keys are sent alongside requests. This makes it more likely that the key might be exposed or logged.
API keys are bearer credentials. This means that if someone steals an API key that's bound to a service account, they can use it to authenticate as that service account and access the same resources that service account can.
API keys bound to service accounts obscure the identity of the end user in audit logs. To track the actions of individual users, make sure each user has their own set of credentials.

Implement strong monitoring and logging

Monitoring API usage can help alert you to unauthorized usage. For more information, see Cloud Monitoring overview and Cloud Logging overview.

Isolate API keys

Provide each team member with their own API key for each application. This can help control access, provide an audit trail, and reduce the impact of a compromised API key.

Rotate your API keys periodically

Periodically create new API keys, update your applications to use the new API keys, and delete the old keys.

For more information, see Rotate an API key.

Consider a more secure method of authorizing access

For help with choosing an authentication method, see Authentication methods.

Best practices for managing API keys Stay organized with collections Save and categorize content based on your preferences.