Warning about Publicly accessible Google API key for Google Cloud Platform project

Support > Mapping Services > Warning about Publicly accessible Google API key for Google Cloud Platform project

If you have received an email with the following message "We have detected a publicly accessible Google API key associated with the following Google Cloud Platform project" then here's what you should do to fix this.


Firstly, here is the typical content of this email:


We have detected a publicly accessible Google API key associated with the following Google Cloud Platform project:


Project project_name (id: unique-project-name) with API key AIzaSyC3xbIGfnsTzS5e90242ac120002-Dhl-k


The key was found at the following URL: https://your-website-here/index.html


We believe that you or your organization may have inadvertently published the affected API key in public sources or on public websites (for example, credentials mistakenly uploaded to a service such as GitHub.) Please note that as the project/account owner, you are responsible for securing your keys. Therefore, we recommend that you take the following steps to remedy this situation.


This relates to the Google Maps API key which you created and is being used by your store locator. This is supposed to be a Public API key, however you are receiving this message from Google because your Google Maps API key is unrestricted which in theory means that anyone else can copy the key from your website and use it on their own website and you would end up paying for their usage.


We always recommend adding an HTTP referrer restriction which, when added, will only allow your key to be used on your own store locator page(s). This works by restricting usage of the API key to your domain(s) only. To add a restriction, click on your key in the Google Console and add a domain as detailed below.


Click here to list your API keys (known as credentials). You will need to be logged in with the Google account that was originally used to create the API key: https://console.cloud.google.com/apis/credentials. The API key is shown at the top of the email that you received or you can find it in our admin console here: https://www.storelocatorwidgets.com/admin/Setup.


Click on the key and under Key restriction choose 'HTTP referrers (web sites) as shown below:

Note in my example above I have added a restriction so the key can only be used on storelocatorwidgets.com. In your case I would recommend using either https://your-website-address.com/* to allow usage on your entire domain, or just copy and paste the URL shown at the top of the email that you received.


Once that's done, save the changes and your key should be restricted. You should test your store locator to ensure that it still loads successfully after you have made this change - if not, go back and remove the Key restriction and contact us for help.


Sample email: