Best practices for managing API keys

When you use API keys in your applications, ensure that they are kept secure during both storage and transmission. Publicly exposing your API keys can lead to unexpected charges on your account or unauthorized access to your data. To help keep your API keys secure, implement the following best practices.

Add API key restrictions to your key

By adding restrictions, you can limit the ways an API key can be used, reducing the impact of a compromised API key.

For more information, see Apply API key restrictions.

Delete unneeded API keys to minimize exposure to attacks

Retain only the API keys you are currently using to keep your attack surface as small as possible.

Rotate your API keys periodically

Periodically create new API keys, update your applications to use the new API keys, and delete the old keys.

For more information, see Rotate an API key.

Don't include API keys in client code or commit them to code repositories

API keys hardcoded in the source code or stored in a repository are open to interception or theft by bad actors. The client should pass requests to the server, which can add the credential and issue the request. If you must store the key on the client side, use a secret management system to keep the key secure.

Implement strong monitoring and logging

Monitoring API usage can help alert you to unauthorized usage. For more information, see Cloud Monitoring overview and Cloud Logging overview.

Consider a more secure method of authorizing access

For help with choosing an authentication method, see Authentication methods.