I am running into an issue configuring my Google Geocode and Maps APIs. I have read in the Google’s documentation that
Before moving your mobile app, website, or web server to production, it is recommended that you secure your API key by adding a restriction …
So if I set up the restriction to be HTTP referrers, and configure the referrer to be my domain, Maps in my Bubble app show correctly, and addresses, when used in fields, are correctly autocompleted. However, if I try to capture the current user’s location as follows:
I get the following error:
Error hitting Google Geocode API: API keys with referer restrictions cannot be used with this API.
Of course that if I remove the Key’s restrictions then all works as expected.
Can anyone shine some light into what am I doing wrong? Any help is much appreciated.
So, although unrelated to the API itself, do you know how can I find the IP address for my bubble App? I tried the DNS numbers configured in the Domain (@/ww) but that did not work.
I agree with @mishav , having these API keys completely open is a security risk, per Google’s API documentation:
An API key is unrestricted by default. Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides. For production applications, set both application and API restrictions.
@neerja, do you have any suggestions on how to make production applications secure in a Personal app plan?
@mishav Our team can review this request but this will not be a quick change. @malife Google Maps / Geocoding API keys are not exposed. You are entering it in your app settings which along with the rest of the editor should not be visible if the app is set as private.
I know this post is from a very long time ago, but I am wondering if you ever got a response as I am having the same problem?
I have configured my Google Geocoding and Google Maps APIs for my app (as 2 different API keys) and for my Google Maps API I am able to use HTTP referrers as a restriction and it works fine. However, for my Geocoding API, it only works when I take off the HTTP referrers restriction and thus I am forced to use it without any restriction. Like you, I am concerned that without this restriction, anyone could access and use my API key.
Like you mentioned on the post, when I look at the page’s source I am only able to see my Google Maps API key which is restricted, so it seems OK. It does not seem like my Geocoding API is visible so even though it is no restricted, it would seem not to be a security issue. However, it would be great if someone could confirm that there is no way to access Geocoding API keys?
Hello Melissa,
Unfortunately, I never heard back. One thing I can say is that my app has been out in the wild for a year or so and have not detected any miss use of my API key.
It would be good if someone from the Bubble team could confirm weather our understanding is correct.
Thank you for the prompt response @malife, it is helpful to know that you haven’t identified miss uses after a year!
Hi @romanmg, sorry to bring you into this thread but I was wondering if you have any insight into this. To save you time, the question is really if you know if people can access a Google Geocoding API Key that is not restricted? We ask because it seems like Google does not allow HTTP referrers restriction on Geocoding API Keys.
Any updates on this? Is there a way to use the server-side API in a secure way?
By the way, for client-side, when I turn on a restriction by domain (both mine and bubbles) it breaks the API. I’m maybe doing something wrong there, but from my research there’s no way to place a restriction from the server side unless paying for a dedicated IP. Is that correct?
