How to secure a Google Maps API Key
To prevent quota theft, secure your API key following these best practices. There are two types of restrictions, application and API.
Table of Contents
The browser key should be restricted using the HTTP referrer restrictions whereas the server API should be restricted using an IP address.
There are other options depending on your preferred URL format. Learn more here.
If you are unsure as to what HTTP referrer to add, please contact your webhost or server admin.
For the Google Maps Geocoding API (server) key, please enter a single IP or a range of IPs. Google provides the following as valid IP restriction examples:
192.168.0.1, 172.16.0.0/12, 2001:db8::1 or 2001:db8::/64
If you are unsure as to what IP address to add, please contact your webhost or server admin.
Yoast SEO: Local uses the following APIs:
- Directions API (browser key)
- Timezone API (browser key)
- Geocoding API (server key)
Removing Google Maps API Restrictions
We highly recommend securing your API key to prevent others from using your quota. The downfall is that incorrect restrictions can cause the maps to fail. Temporarily removing the restrictions will help identify if the restrictions are causing unexpected behaviors.
- Go to Google API Console.
If prompted, log in.
- Select your site project.
- Click on the name of your API key.
- Select ‘None’ under the ‘Application restrictions’ section.
- Select ‘Don’t restrict key’ under ‘API restrictions’ section.
- Click ‘Save’.
Google says it may take up to 5 minutes for the settings to take effect.
After 5 minutes, start from your homepage and browse to where the map should appear. If the map appears, the restrictions were invalid. Please re-add the restrictions one option at a time to determine which restriction caused the map to not appear.