API key restrictions ​
An unrestricted API key is a security risk. Anyone who finds your key in your website's source code could use it on their own site, generating charges on your account.
Application restrictions ​
In the Google Cloud Console, restrict your key to HTTP referrers and add your domain:
https://yourdomain.com/*
https://www.yourdomain.com/*For staging environments, add your staging domain temporarily and remove it after testing.
API restrictions ​
Restrict the key to only the APIs you need:
- Maps JavaScript API
- Places API
- Geocoding API
- Directions API
Do not enable APIs you are not using (e.g., Maps Static API, Maps Embed API).
Monitoring usage ​
Visit the Google Cloud Console → APIs & Services → Dashboard to monitor API calls, errors, and quotas.
What if my key is compromised? ​
- Immediately restrict or delete the key in the Cloud Console
- Generate a new key with proper restrictions
- Update the key in WP Google Street View → Settings