API key restrictions â
An unrestricted API key is a security risk. Anyone who finds your key in your website's source code could use it on their own site, generating charges on your account.
Application restrictions â
In the Google Cloud Console, restrict your key to HTTP referrers and add your domain:
https://yourdomain.com/*
https://www.yourdomain.com/*For staging environments, add your staging domain temporarily and remove it after testing.
API restrictions â
Restrict the key to only the APIs you need:
- Maps JavaScript API
- Places API
- Geocoding API
- Directions API
Do not enable APIs you are not using (e.g., Maps Static API, Maps Embed API).
Referrer-restricted keys and geocoding â
WP Google Street View 1.1.13 keeps the admin-side address and coordinate lookup compatible with HTTP referrer-restricted browser keys. The plugin uses the Google Maps JavaScript layer for admin geocoding, instead of calling the Google Geocoding Web Service directly from the browser.
That means most sites can keep a single browser key restricted to their own domain. You do not need a separate server key only to use the pluginâs normal admin lookup flow.
If you still see âAPI keys with referer restrictions cannot be used with this APIâ, make sure the site is running WP Google Street View 1.1.13 or later and clear cached admin scripts.
Monitoring usage â
Visit the Google Cloud Console â APIs & Services â Dashboard to monitor API calls, errors, and quotas.
What if my key is compromised? â
- Immediately restrict or delete the key in the Cloud Console
- Generate a new key with proper restrictions
- Update the key in WP Google Street View â Settings