When you use API keys in your applications, ensure that they are kept secureduring both storage and transmission. Publicly exposing your API keys can leadto unexpected charges on your account or unauthorized access to your data. Tohelp keep your API keys secure, implement the following best practices.

Add API key restrictions to your key

By adding restrictions, you can limit the ways an API key can be used, reducingthe impact of a compromised API key.

For more information, seeApply API key restrictions.

Avoid using query parameters to provide your API key to Google APIs

Providing your API key to APIs as a query parameter includes your API key in theURL, exposing your key to theft through URL scans. Use thex-goog-api-key HTTP headeror aclient libraryinstead.

Delete unneeded API keys to minimize exposure to attacks

Retain only the API keys you are actively using to keep your attack surface assmall as possible.

Don't include API keys in client code or commit them to code repositories

API keys hardcoded in the source code or stored in a repository are open tointerception or theft by bad actors. The client should pass requests to theserver, which can add the credential and issue the request.

Don't use API keys bound to service accounts in production

API keys bound to service accounts are designed to accelerate the initialexperience for developers exploring Google Cloud APIs. Don't use them inproduction environments. Instead,plan to migrate to more secure alternatives such asIdentity and Access Management (IAM) policies andshort-lived service account credentials,following least-privilege security practices.

Here's why you should migrate from using an API key bound to a service accountto more secure practices as soon as possible:

• API keys are sent alongside requests. This makes it more likely that the keymight be exposed or logged.

• API keys are bearer credentials. This means that if someone steals an API keythat's bound to a service account, they can use it to authenticate as thatservice account and access the same resources that service account can.

• API keys bound to service accounts obscure the identity of the end user inaudit logs. To track the actions of individual users, make sure each user hastheir own set of credentials.

Implement strong monitoring and logging

Monitoring API usage can help alert you to unauthorized usage. For moreinformation, seeCloud Monitoring overview andCloud Logging overview.

Isolate API keys

Provide each team member with their own API key for each application. This canhelp control access, provide an audit trail, and reduce the impact of acompromised API key.

Rotate your API keys periodically

Periodically create new API keys, update your applications to use the new APIkeys, and delete the old keys.

For more information, seeRotate an API key.

Consider a more secure method of authorizing access

For help with choosing an authentication method, seeAuthentication methods.