Using API Keys

This page describes how to utilize API keys in API Gateway.

An API key is a simple string that identifies a Google Cloud project for quota, billing, and monitoring purposes. A developer generates an API key in a project in the Google Cloud console and embeds that key in every call to your API as a query parameter or in a request header.

If you specify an API key requirement in your API config, API Gateway uses the API key to look up the associated Google Cloud project. API Gateway rejects requests unless the API key was generated in your Google Cloud project or within other Google Cloud projects in which your API has been enabled.

To create an API key, or view API keys already available within your Google Cloud project, go to the APIs & Services > Credentials page.

Go to Credentials

Use case

To use API Gateway features such as quotas, you can pass in an API key so that API Gateway can identify the Google Cloud project that the client application is associated with.

About API key authentication for API Gateway

If you are using an API key for authentication, you must first enable API key support for your service.

Enter the following command:

gcloud services enable MANAGED_SERVICE_NAME

The MANAGED_SERVICE_NAME specifies the name of the managed service created when you deployed the API. You can find this name in the Managed Service column for your API on the APIs landing page in the console. Alternatively, you can find this name in the Managed service property when using the gcloud api-gateway apis describe command.

For example:

gcloud services enable my-api-a12bcd345e67f89g0h.apigateway.my-project.cloud.goog

Restricting API keys

API keys are unrestricted by default. Unrestricted keys are insecure because they can be used by anyone from anywhere. We recommend that you add API restrictions where possible. API restrictions specify which APIs can be called using the API key. All API keys used by production applications should have API restrictions.

To add API restrictions:

  1. Find the title of the API as noted in your API Config. In the following example, the API title is My Example Config:

    # openapi.yaml
    swagger: '2.0'
    info:
      title: My Example Config
      description: Sample API on API Gateway
      version: 1.0.0
    ...
  2. In the Google Cloud console, go to the APIs & Services > Credentials page.

    Go to Credentials

  3. Select the name of the API key you wish to use for your API.

  4. In the API restrictions section of the API key detail page, click Restrict key.

  5. Select the API that your API key will be used to access from the dropdown list of available APIs. For example, if using the example config above, select My Example Config.

  6. Click Save.

Your restriction should take effect momentarily.