[OFFICIAL] Google API Restriction Emails

[Mario]

Google is again sending out emails for API keys which have no restrictions. Unfortunately, we cannot restrict the API key used for Google Maps in IMatch in any way.

There are three types of restrictions:

1. Android/Apple apps. Does not apply.

2. Restrictions based on IP address. If you use IMatch at home, it is very likely that your IP address changes once a day, or every several days. This makes it impossible to limit access to the Google Maps API to a specific IP, unless you are keeping track all the time and change the IP restriction based on your current IP address before using Google Maps in IMatch.

3. HTTP Referrer restrictions. This can be used to e.g. restrict access to an API key to a specific URL, e.g. www.example.com. Since the Map Panel runs on your PC, the HTTP referrer will always be http://127.0.0.1:50519/, and that referrer is identical for every IMatch user. If somebody gets access to your API key, this referrer is very easy to simulate.

Update:

I have made some tests, and limiting the API key to this website seems to work and is better than nothing:

http://127.0.0.1:50519/imatch/apps/FEATURES/mapapp/index.html

Note: The port number 50519 may be different on your computer if another software uses that port and IMatch had to select another port.

In general:

a) keep your API key secret, b) change it regularly, c) keep an eye on your budget, and d) maybe setup an email notification that warns you when your API usage exceeds your budget. Google unfortunately (why?) does not do the decent thing and allow for a hard limit like e.g. OpenAI does. A simple setting "If my budget of 10 US$ is exceeded, disable the API key" would be so very helpful. But it's Google, so...

This of course also applies to all other API keys, from HERE to Bing to OpenAI, Mistral and Gemini.