I'm having some issues understanding the differences between an API Key and a Developer's Key when it comes to utilizing the YouTube API.
My application is using the restful requests in v3 of the Youtube API and I can set an API key via the gapi.client.setApiKey() function , which I have done during development, but when I was looking at the quotas, https://groups.google.com/forum/?fromgroups=#!topic/youtube-api-gdata/e1JDQ4lqbXU, it states that they are tied to a developer key instead and that the developer key should be sent with each request. I went ahead and got one for development purposes, but I'm not sure how they interact with each other.
I also didn't find any details on how to send the developer's key with each restful request (such as gapi.client.youtube.channels.list), only how to include it in the header or query string when making a regular get request.
Can someone help me understand the difference between the two, how they are related, whether I need both, and how to use them in restful requests, or if I need to switch to regular get requests?
Sorry for the confusion.
"Developer keys" refer to keys that worked with v1 or v2 of the YouTube Data API. You can obtain them here. There's a separate quota system in place for v1/v2 and yes, developer keys do come into play there.
"API Keys" refer to keys that you use when making unauthenticated requests using v3 of the YouTube Data API. (If you're making an authenticated request, you don't include an API Key, since the OAuth 2 client id/secret identifies your application.) You get an API Key that you could use with YouTube from the Google APIs console, after turning on the YouTUbe Data API v3 as one of the Services you're using. Quota in v3 is tied to your API Console project, and your API Key identifies which project you're using.
The takeaway is that if you're making unauthenticated YouTube Data API v3 calls, you should only include an API Key from the Google APIs console in your request. If you're using the JavaClient library, that's done via gapi.client.setApiKey().
Related
I can login with
<script src="https://accounts.google.com/gsi/client" async defer></script>
I have created an api key for google drive on the console dashboard. According to Drive js api. I should not put the key in a public webpage.
Is there a way to get my api key from after logging in with the account that owns the key via javascript?
An api key is used for accessing public apis. Unless the file you are trying to access is public you are not going to be able to access it. That tutorial also tells you to create Web application. Which will allow you to authorize your user to access their data.
Is there a way to get my api key from after logging in with the account that owns the key via javascript?
Api keys and web application credentials as which that tutorial shows you how to create are owned by you the developer. They are used to request authorization of the users of your application. So no there is no way that the users of your application could give you an api key that must be created by you the developer.
Restrict your api key
due to the fact that javascript is client side if anyone does a view source they are going to see your api key. That is why it is a good idea to setup restriction for your key in Google clound colsone
Apikeys
There are a number of ways to restrict your key
You can restrict it by API restrictions limiting what apis it can be used for.
You can set up Application restrictions which will limit things like what websites it can be used from or an ip address.
A key in production should always have restrictions applied.
I'm working with the geocoding api from google. I'll be hitting the following endpoint with ajax like so...
$.ajax({
url: https://maps.googleapis.com/maps/api/geocode/json?address=1600+Amphitheatre+Parkway,+Mountain+View,+CA&key=MY_API_KEY,
success: function(data) {
console.log("yay");
}
})
Is it safe to add my api key directly into my javascript? This means it will be viewable from my website and also on source control. What precautions should I take?
No, you should absolutely hide your API key(s) from the client and source control. A malicious user could use the key to exhaust your quota, making your application potentially unusable.
To avoid this, create a server which fetches the data from the API and then serves it to the user. Additionally, you should apply rate limiting, to prevent users exhausting your quota through your own application.
For more information, see this support article.
Consider also using the Geocoding Service in the Google Maps JavaScript API. When loading the JavaScript API, make sure to use an API key that is restricted to your website.
Remember that results from the Google Geocoding services must be displayed on a Google map (see 10.4.d and 10.4.e).
After getting an access-token, I don't know how to use google API.
I tried to add 'access_token' but the error message displays 403: the request cannot be identified with a client project. Please pass a valid API Key with the request.
so I mixed up because I didn't get any API Key from OAuth. Please, does anyone knows how to get valid API key?
Have you looked at Using OAuth 2.0 for Client-side Web Applications?
The process is described quite nicely there. If you successfully received and verified the access_token, you can scroll down to Calling a Google API to see how to make API calls using the access_token.
If you need help with using a specific Google API, visit that API's documentation page. (e.g. Maps API, Drive API etc.)
Make sure you have needed APIs enabled and relevant credentials set up correctly from the Google API Console
You have to provide the api key along with the url; to do that just add the parameter "key=API_KEY", for example:
sheets.googleapis.com/v4/spreadsheets{{spreadsheet ID}}/values/{{the name of the spreadsheet}}!A1:D3?key={{API_KEY}}
I'm getting ready to launch an Angular/Node web application which uses the YouTube V3 API. The app was released about 3 weeks ago as a "beta version" for market validation and was pretty successful in beta. It's not going to be a commercial success, just a fun app that makes peoples lives a little bit easier. I have one issue/concern, should I be hiding my YouTube V3 API key, client id, and scopes? Or can I assume that since only my domain name is whitelisted, that the potential hackers/people who try to use the API key, won't be able to make any calls or do any damage so therefore I have nothing to worry about?
These are the specific calls I'm worried about (not the real ids/keys)
Index.html Script Tag
var OAUTH2_CLIENT_ID ='_#H#RJHWEJFHEFUIEHFUHEFHEJFU.apps.googleusercontent.com';
var OAUTH2_SCOPES = ['https://www.googleapis.com/auth/youtube'];
In Angular, Controller.js
.value('google_api_key', 'jfasdkjfdnstnewurweqjtndi')
gapi.client.setApiKey(google_api_key);
For Simple Access to Google APIs, API key is the only credential required for the request, and it is a unique identifier of your app/project. It provides API access and is subject to quotas.
You should keep it a secret!
If you have a client-side-only app (without a server), then use OAuth 2.0 Client-side Flow
From Google's Documentation:
Best practices for securely using API keys:
When you use API keys in your applications, take care to keep them secure. Publicly exposing your credentials can result in your account being compromised, which could lead to unexpected charges on your account. To keep your API keys secure, follow these best practices:
Do not embed API keys directly in code
API keys that are embedded in code can be accidentally exposed to the public—for example, if you forget to remove the keys from code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree.
Do not store API keys in files inside your application's source tree
If you store API keys in files, keep the files outside your application's source tree to help ensure your keys do not end up in your source code control system. This is particularly important if you use a public source code management system such as GitHub.
Restrict your API keys to be used by only the IP addresses, referrer URLs, and mobile apps that need them
By restricting the IP addresses, referrer URLs, and mobile apps that can use each key, you can reduce the impact of a compromised API key. You can specify the hosts and apps that can use each key from the Google Developers Console by opening the Credentials page and then either creating a new API key with the settings you want, or editing the settings of an API key.
Delete unneeded API keys
To minimize your exposure to attack, delete any API keys that you no longer need.
Regenerate your API keys periodically
You can regenerate API keys from the Google Developers Console by opening the Credentials page and clicking Regenerate key for each key. Then, update your applications to use the newly-generated keys. Your old keys will continue to work for 24 hours after you generate replacement keys.
Review your code before publicly releasing it
Ensure that your code does not contain API keys or any other private information before you make your code publicly available.
The instructions for v.3 of the Google Maps API say that I
should load the Maps API using an API key
Curiously it says I should..., rather than I must..... Anyhow, at the moment, I am not using an API key simply because (as far as I can remember) there was no mention of an API key when I was writing the code that calls this API.
Should I go back and add an API key to the URL that loads the API? It seems to work fine without the key, so I don't have any particular incentive to do this.
You're actually required to not have a key if you're a business user. Here's a quote from Google:
Google Maps API for Business developers must not include a key in their requests. Please refer to Loading the Google Maps JavaScript API for Business-specific instructions.
Normal users, however, will be fine with or without a key, although Google recommends having a key so you can monitor the API usage. Here is a quote verifying this:
The Google Maps JavaScript API V3 does not require a key, but there are benefits to using one.
You only need a key if you want to use the API management console to restrict access, collect usage statistics, etc. So, a key is recommended but not required.
See Obtaining an API key
In Api version 2 a key is required to run gmap out of localhost
in the API v3 a key is not required