When you use API keys in your applications, ensure that they are kept secure during both storage and transmission. Publicly exposing your API keys can lead to unexpected charges on your account or unauthorized access to your data. To help keep your API keys secure, implement the following best practices.
Add API key restrictions to your key
By adding restrictions, you can limit the ways an API key can be used, reducing the impact of a compromised API key.
For more information, see Apply API key restrictions.
Delete unneeded API keys to minimize exposure to attacks
Retain only the API keys you are currently using to keep your attack surface as small as possible.
Delete and recreate your API keys periodically
Periodically create new API keys, update your applications to use the new API keys, and delete the old keys.
Don't include API keys in client code or commit them to code repositories
API keys hardcoded in the source code or stored in a repository are open to interception or theft by bad actors. The client should pass requests to the server, which can add the credential and issue the request. If you must store the key on the client side, use a secret management system to keep the key secure.
Implement strong monitoring and logging
Monitoring API usage can help alert you to unauthorized usage. For more information, see Cloud Monitoring overview and Cloud Logging overview.
Consider a more secure method of authorizing access
For help with choosing an authentication method, see Authentication methods.