Warning that Your API keys are unprotected for Google Cloud Platform project

Support > Troubleshooting > Warning that Your API keys are unprotected for Google Cloud Platform project

If you have received an email from Google with the subject "Important: Your API keys are unprotected" then here's what you should do to fix this.


Firstly, here is the typical content of this email:

Google Maps Platform
Protect your API keys with recommended restrictions
Hello << YOURNAME >>,Some of your Google Maps Platform projects have unrestricted API keys, which can be stolen and lead to unwanted charges.To keep your API keys safe, we strongly recommend you secure them by limiting each key's usage to specific apps and websites.Click the project links below to access the Credentials section of Google Maps Platform console and click “APPLY RECOMMENDED RESTRICTIONS” for each unrestricted key. Restricting your keys shouldn’t take more than a few minutes.Your projects with unrestricted keys
<< LINK TO YOUR PROJECT HERE >>
You can always change the restrictions later if you need to.Learn more about API key best practices.Sincerely,
Google Maps Platform Support


This relates to the Google Maps API key which you created and is being used by your store locator. This is supposed to be a Public API key, however you are receiving this message from Google because your Google Maps API key is unrestricted which in theory means that anyone else can copy the key from your website and use it on their own website and you would end up paying for their usage.


We always recommend adding an HTTP referrer restriction which, when added, will only allow your key to be used on your own store locator page(s). This works by restricting usage of the API key to your domain(s) only. To add a restriction, click on your key in the Google Console and add a domain as detailed below.


Click here to list your API keys (known as credentials). You will need to be logged in with the Google account that was originally used to create the API key: https://console.cloud.google.com/apis/credentials. The API key is shown at the top of the email that you received or you can find it in our admin console here: https://www.storelocatorwidgets.com/admin/Setup.


Click on the key and under Key restriction choose 'HTTP referrers (web sites) as shown below:

Note in my example above I have added a restriction so the key can only be used on storelocatorwidgets.com. In your case I would recommend using either https://your-website-address.com/* to allow usage on your entire domain, or just copy and paste the URL shown at the top of the email that you received.


We don't recommend setting an API restriction (the section below Website restrictions.


Once that's done, save the changes and your key should be restricted. You should test your store locator to ensure that it still loads successfully after you have made this change - if not, go back and remove the Key restriction and contact us for help.