Registering and Restricting Google Maps and Woosmap Platform API Keys

Google Maps and Woosmap Platform APIs and SDKs require you to send an API key with all calls. API keys act as unique identifiers that authenticate the calls you make to Google Maps and Woosmap Platform and ensure they are billed to the correct account.

Our Store Locator Widget and Store Search Widget require you to set an API key for each platform, Google and Woosmap.

To keep your integration efficient and secure and prevent any unwanted or unexpected usage of your Google Maps and Woosmap Platform, you'll have to restrict your API keys.

Registering a Woosmap Public key

Assuming you have already created your Woosmap account.

Steps:

• Visit the Woosmap Console and authenticate yourself
• Click on the Projects menu on your left.
• Either create a new project or select an existing one.
• The Woosmap Public API Key is automatically created. You can see it from the Security and Access menu under the Basic tab.

This Key is a long string of generated characters preceded by woos-.woos-26b90591-6d9e-3b74-ba24-a887ec084e86

Next, have a look on how to secure your key by applying restrictions.

Registering a Google Maps API key

You must have a Google account to generate a key for Google Maps API. If you have contracted your Google Maps Platform license through Web Geo Services, please use the Google Billing account we provide you. The name is in the form of "cutomername - WGS - for maps".

Steps:

• Visit the Google Maps Platform page and click Get started.
• Select the Maps and Places product to get the APIs that are needed to work with Woosmap Widgets.
• Click Continue.
• The Select a project step requires you to associate a name with your use of Google’s APIs. Either create a new name or select an existing project.
• After agreeing to the terms of service, click Next.
• Create a billing account with the Google Maps Platform. A billing account is a requirement in the new Google Maps Platform. For more information, see the Google Maps Platform pricing and billing documentation.

This Key is a long string of generated characters and looks like:

AIzaSyAQanzCC6g4sR3tgj8tmFlByqhGFVKBFZE

Why should I restrict my API keys?

Restricting your API keys helps ensure your Google Maps and Woosmap Platform account is secure. To create a new Woosmap Project, you need to set at list one restriction. On Google Maps Platform, by default no restrictions are applied. We strongly recommend that you restrict your API key when you generate them. You can always change the restrictions later, if you need to.

What’s a Woosmap Public key restriction?

Woosmap public key restrictions are the authorized domains and IPs from which the call to Woosmap API will be done. You can add or remove an authorized domain name in the project creation stage and from the Security and Access menu under the Basic tab.
Wildcard characters are acceptable for naming similar web sites. For example, *.woosmap.com accepts all sites ending in woosmap.com, such as https://developers.woosmap.com. Please, do not insert the protocol in front of your domain name. Both http and https are automatically supported without specifying them.

What’s a Google Maps API key restriction?

Google Maps API key restrictions are settings you apply to an API key that limit which applications, APIs, and SDKs can be used with that key. For example, you can specify that an API key can only be used to make calls from an Android app that has your app’s package name, or to the Geocoding API from a server with an IP address that matches the server your backend service is running on. API key restrictions make it possible for you to limit what a key can be used for, limiting your exposure if your key were compromised.

What types of Google Maps API key restrictions are available?

There are two types of API key restrictions: API restrictions and application restrictions. Application restrictions limit usage of the API key to a specific web site, web server, or application. Google Maps Platform supports four types of application restrictions:

• HTTP referrers: restricts usage to one or more URLs and is intended for keys that are used in websites and web apps. This type of restriction allows you to set restrictions to a specific domain, page or set of pages in your website.
• IP addresses: restricts usage to one or more IP addresses, and are intended for securing keys used in server-side requests, such as calls from web servers and cron jobs.
• Android app: restricts usage to calls from an Android app with a specified package name.
• iOS app : restricts usage to calls from an iOS app with a specified bundle identifier.

API restrictions limit usage of the API key to one or more APIs or SDKs. By default, when you create a new API key, no API restrictions are applied so this key can call any API. We strongly recommend that you limit the list to only those that are needed. The Woosmap Store Locator widget needs at least the Maps Javascript API to display the Map and either the Geocoding API or the Places API to search for places and localities.

How do I restrict my Google API key to a specific domain?

Restricting an API key is fast and easy. You can do it at any time from the credentials page of the Google Cloud console.

Steps:

• Go to the Google API credentials page.
• Select your project from the menu.
• Select the API key that you want to set a restriction on. The API key property page appears.
• Under Application restrictions, click HTTP referrers (web sites) and enter any domain associated with your integration. Wildcard characters are acceptable for naming similar web sites. For example, *.woosmap.com accepts all sites ending in woosmap.com, such as https://developers.woosmap.com.
• Click Save.

If you want more detailed steps, watch the following video.

Best practices for applying API key restrictions

Here are some general guidelines you can use to determine strategies to protect your API keys.

• Never use the same API key for client-side and server-side applications.
• Use independent API keys for different apps or website. This limits the scope of each key. If an API key is compromised, you can delete and revoke the impacted key without needing to update your other API keys.
• Delete API keys no longer needed.

Google published a document to help you applying this guidelines: Google Maps Platform API Key Best Practices

If you want to go further in the management of Woosmap API Keys, visit the Woosmap developers documentation.

If you have any questions about the content, please don’t hesitate to reach out to us through the documentation contact page. We are always interested in your suggestions and always available to help.