I am using an API key in some Python code which I am looking to distribute. This API key is for Google Maps. Are there any security issues with regards to distributing this API key and if so, how is it best to hide this?
-
How do you get the API key for python? I have been looking for itealeon– ealeon2013-07-15 06:17:58 +00:00Commented Jul 15, 2013 at 6:17
Add a comment
|
5 Answers
It isn't necessary, the Google API key is tied to your domain so the referrer is checked when it is used.
You can read more about how it works here
Relevant part
Note that a key for http://www.mygooglemapssite.com/ will only be accepted when the site is accessed using this address. It will not be accepted if the site is accessed by IP address (eg. http://10.1.2.3/) or by a hostname that is aliased to www.mygooglemapssite.com using a DNS CNAME record.
Their version 3 API doesn't require a key now.
Comments
You cannot hide this. Your program needs to access it and a hacker will simply use a tool like a debugger, a virtual machine or a modified Python implementation if he/she really wants to know the API key.
I don't think it's necessary to hide a Google Maps API key anyway, as a web page will also have this in its source code when the API is in use. You should refer to the documentation or the page where you obtained the key to see if it's a private key.
Comments
if you're providing a tool for "power users" to use google maps, then it's reasonable to expect them to supply their own Google API key. If that's not an option for your users, you will need to have a web-service that your application accesses to act as a deputy so that your private key is not exposed. You will still have to devise a means of authenticating users, if that is applicable.
answered Sep 17, 2011 at 22:28
SingleNegationElimination
157k35 gold badges269 silver badges306 bronze badges
Comments
You could obfuscate the key in various ways, but it's not worth the effort. Obfuscation is a weak way to protect information, and in this case your information's security isn't especially critical anyway.
The point of the API key is largely so that the API vendor (Google, here) can monitor, throttle, and revoke your application's use of their service. It is meant to be private, and you shouldn't share it carelessly or intentionally, but it isn't the end of the world if somebody else gets their hands on it.
Comments
The Google Maps API key is only for version 2, which has been officially deprecated since May 2010. Strongly suggest you use Version 3 of the API instead, which is much better, and has no need for an API key.
