This page describes how to use API keys to authenticate to Google Cloud APIsand services that support API keys.

Most Google Cloud APIs don't support API keys. Check that the API that youwant to use supports API keys before using this authentication method.

For information about using API keys to authenticate to Google Maps Platform,see theGoogle Maps Platform documentation.For more information about the API Keys API, see theAPI Keys API documentation.

Introduction to API keys

When you use an API key to authenticate to an API, the API key does not identifya principal, nor does it provide anyauthorization information. Therefore, therequest does not use Identity and Access Management (IAM) to check whether the caller haspermission to perform the requested operation.

The API key associates the request with a Google Cloud project for billing andquota purposes. Because API keys do not identify the caller, they are often usedfor accessing public data or resources.

Many Google Cloud APIs do not accept API keys for authentication. Reviewthe authentication documentation for the service or API that you want to use todetermine whether it supports API keys.

An API key has the following components, which you use to manage and use thekey:

The API key string is an encrypted string, for example,AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe. When you use an API key toauthenticate, you always use the key's string. API keys do not have anassociated JSON file.
The API key ID is used by Google Cloud administrative tools to uniquelyidentify the key. The key ID cannot be used to authenticate. The key ID can befound in the URL of the key's edit page in the Google Cloud console. You can alsoget the key ID by using the Google Cloud CLI to list the keys in your project.
Display name
The display name is an optional, descriptive name for the key,which you can set when you create or update the key.

To manage API keys, you must have the API Keys Admin role(roles/serviceusage.apiKeysAdmin) on the project.

Before you begin

Select the tab for how you plan to use the samples on this page:


When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.


In the Google Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.


To use the Java samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  1. Install the Google Cloud CLI.
  2. To initialize the gcloud CLI, run the following command:

    gcloud init
  3. If you're using a local shell, then create local authentication credentials for your user account:

    gcloud auth application-default login

    You don't need to do this if you're using Cloud Shell.

For more information, see Set up authentication for a local development environment in the Google Cloud authentication documentation.


To use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  1. Install the Google Cloud CLI.
  2. To initialize the gcloud CLI, run the following command:

    gcloud init
  3. If you're using a local shell, then create local authentication credentials for your user account:

    gcloud auth application-default login

    You don't need to do this if you're using Cloud Shell.

For more information, see Set up authentication for a local development environment in the Google Cloud authentication documentation.


To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

    Install the Google Cloud CLI, then initialize it by running the following command:

    gcloud init

For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

Create an API key

To create an API key, use one of the following options:


  1. In the Google Cloud console, go to the Credentials page:

    Go to Credentials

  2. Click Create credentials, then select API key from the menu.

    The API key created dialog displays the string for your newlycreated key.


You use the gcloud services api-keys create command to create an API key.

Replace DISPLAY_NAME with a descriptive name for your key.

 gcloud services api-keys create --display-name=DISPLAY_NAME 


To run this sample, you must install thegoogle-cloud-apikeys client library.

import;import;import;import;import;import;import;import java.util.concurrent.ExecutionException;import java.util.concurrent.TimeUnit;import java.util.concurrent.TimeoutException;public class CreateApiKey { public static void main(String[] args) throws IOException, ExecutionException, InterruptedException, TimeoutException { // TODO(Developer): Before running this sample, // 1. Replace the variable(s) below. // 2. Set up ADC as described in // 3. Make sure you have the necessary permission to create API keys. String projectId = "GOOGLE_CLOUD_PROJECT_ID"; createApiKey(projectId); } // Creates an API key. public static void createApiKey(String projectId) throws IOException, ExecutionException, InterruptedException, TimeoutException { // Initialize client that will be used to send requests. This client only needs to be created // once, and can be reused for multiple requests. After completing all of your requests, call // the `apiKeysClient.close()` method on the client to safely // clean up any remaining background resources. try (ApiKeysClient apiKeysClient = ApiKeysClient.create()) { Key key = Key.newBuilder() .setDisplayName("My first API key") // Set the API key restriction. // You can also set browser/ server/ android/ ios based restrictions. // For more information on API key restriction, see: // .setRestrictions(Restrictions.newBuilder() // Restrict the API key usage by specifying the target service and methods. // The API key can only be used to authenticate the specified methods in the service. .addApiTargets(ApiTarget.newBuilder() .setService("") .addMethods("") .build()) .build()) .build(); // Initialize request and set arguments. CreateKeyRequest createKeyRequest = CreateKeyRequest.newBuilder() // API keys can only be global. .setParent(LocationName.of(projectId, "global").toString()) .setKey(key) .build(); // Make the request and wait for the operation to complete. Key result = apiKeysClient.createKeyAsync(createKeyRequest).get(3, TimeUnit.MINUTES); // For authenticating with the API key, use the value in "result.getKeyString()". // To restrict the usage of this API key, use the value in "result.getName()". System.out.printf("Successfully created an API key: %s", result.getName()); } }}


To run this sample, you must install theAPI Keys client library.

from import api_keys_v2from import Keydef create_api_key(project_id: str, suffix: str) -> Key: """ Creates and restrict an API key. Add the suffix for uniqueness. TODO(Developer): 1. Before running this sample, set up ADC as described in 2. Make sure you have the necessary permission to create API keys. Args: project_id: Google Cloud project id. Returns: response: Returns the created API Key. """ # Create the API Keys client. client = api_keys_v2.ApiKeysClient() key = api_keys_v2.Key() key.display_name = f"My first API key - {suffix}" # Initialize request and set arguments. request = api_keys_v2.CreateKeyRequest() request.parent = f"projects/{project_id}/locations/global" request.key = key # Make the request and wait for the operation to complete. response = client.create_key(request=request).result() print(f"Successfully created an API key: {}") # For authenticating with the API key, use the value in "response.key_string". # To restrict the usage of this API key, use the value in "". return response


You use thekeys.create methodto create an API key. This request returns along-running operation; you must pollthe operation to get the information for the new key.

Replace the following values:

  • DISPLAY_NAME: Optional. A descriptive name for yourkey.
  • PROJECT_ID: Your Google Cloud project ID or name.
curl -X POST \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Content-Type: application/json; charset=utf-8" \-d {'"displayName" : "DISPLAY_NAME"'} \""

For more information about creating API keys using the REST API, seeCreating an API key in theAPI Keys API documentation.

Copy your key string and keep it secure. Unless you're using atesting key that you intend to delete later, addapplication and API key restrictions.

Use an API key

If an API supports the use of API keys, You can use API keys to authenticate that API.You use API keys with REST requests and withclient libraries that support them.

Using an API key with REST

You can pass the API key into a REST API call as a query parameter with thefollowing format. Replace API_KEY with the key string ofyour API key.

For example, to pass an API key for a Cloud Natural Language API requestfor documents.analyzeEntities:


Alternatively, you can use the x-goog-api-key header to pass in your key.This header must be used with gRPC requests.

curl -X POST \ -H "X-goog-api-key: API_KEY" \ -H "Content-Type: application/json; charset=utf-8" \ -d @request.json \ ""

Using an API key with client libraries

Client library support for API keys is language-specific.

This example uses the Cloud Natural Language API, which supports API keys for authentication,to demonstrate how you would provide an API key to the library.


To run this sample, you must install theNatural Language client libraryand theAPI Keys client library.

const { v1: {LanguageServiceClient},} = require('@google-cloud/language');/** * Authenticates with an API key for Google Language service. * * @param {string} apiKey An API Key to use */async function authenticateWithAPIKey(apiKey) { const language = new LanguageServiceClient({apiKey}); // Alternatively: // const auth = new GoogleAuth({apiKey}); // const {GoogleAuth} = require('google-auth-library'); // const language = new LanguageServiceClient({auth}); const text = 'Hello, world!'; const [response] = await language.analyzeSentiment({ document: { content: text, type: 'PLAIN_TEXT', }, }); console.log(`Text: ${text}`); console.log( `Sentiment: ${response.documentSentiment.score}, ${response.documentSentiment.magnitude}` ); console.log('Successfully authenticated using the API key');}authenticateWithAPIKey();


To run this sample, you must install theNatural Language client libraryand theAPI Keys client library.

from import language_v1def authenticate_with_api_key(api_key_string: str) -> None: """ Authenticates with an API key for Google Language service. TODO(Developer): Replace this variable before running the sample. Args: api_key_string: The API key to authenticate to the service. """ # Initialize the Language Service client and set the API key client = language_v1.LanguageServiceClient( client_options={"api_key": api_key_string} ) text = "Hello, world!" document = language_v1.Document( content=text, type_=language_v1.Document.Type.PLAIN_TEXT ) # Make a request to analyze the sentiment of the text. sentiment = client.analyze_sentiment( request={"document": document} ).document_sentiment print(f"Text: {text}") print(f"Sentiment: {sentiment.score}, {sentiment.magnitude}") print("Successfully authenticated using the API key")

Secure an API key

When you use API keys in your applications, ensure that they are kept secureduring both storage and transmission. Publicly exposing your API keys canlead to unexpected charges on your account. To help keep your API keys secure,follow these best practices:

  • Add API key restrictions to your key.

    By adding restrictions, you can limit the ways an API key can be used,reducing the impact of a compromised API key.

  • Delete unneeded API keys to minimize exposure to attacks.

  • Recreate your API keys periodically.

    Periodically create new API keys, delete the old keys, and updateyour applications to use the new API keys.

Apply API key restrictions

API keys are unrestricted by default. Unrestricted keys are insecure becausethey can be used by anyone from anywhere. For production applications, youshould set both application restrictions andAPI restrictions.

Add application restrictions

Application restrictions specify which websites, IP addresses, or apps can usean API key.

You can apply only one application restriction type at a time.Choose the restriction type based on your application type:

OptionApplication typeNotes
HTTP referrersWeb applicationsSpecifies the websites that can use the key.
IP AddressesApplications called by specific serversSpecifies the servers or cron jobs that can use the key.
Android appsAndroid applicationsSpecifies the Android application that can use the key.
iOS appsiOS applicationsSpecifies the iOS bundles that can use the key.

HTTP referrers

To restrict the websites that can use your API key, you add one or moreHTTP referrer restrictions.

You can substitute a wildcard character (*) for the subdomain or the path, butyou cannot insert a wildcard character into the middle of the URL. For example,* is valid, and accepts all sites ending in However,mysubdomain* is not a valid restriction.

Port numbers can be included in HTTP referrer restrictions. If you include aport number, then only requests using that port are matched. If you do notspecify a port number, then requests from any port number are matched.

You can add up to 1200 HTTP referrers to an API key.

The following table shows some example scenarios and browser restrictions:

Allow a specific URLAdd a URL with an exact path. For example:

Some browsers implement a referrer policy that sends only the origin URL for cross-origin requests. Users of these browsers can't use keys with page-specific URL restrictions.

Allow any URL in your siteYou must set two URLs in the allowedReferers list.
  1. URL for the domain, without a subdomain, and with a wildcard for the path. For example:*
  2. A second URL that includes a wildcard for the subdomain and a wildcard for the path. For example:
Allow any URL in a single subdomain or naked domain

You must set two URLs in the allowedReferers list to allow an entire domain:

  1. URL for the domain, without a trailing slash. For example:
  2. A second URL for the domain that includes a wildcard for the path. For example:***

To restrict your API key to specific websites, use one of the following options:


  1. In the Google Cloud console, go to the Credentials page:

    Go to Credentials

  2. Click the name of the API key that you want to restrict.

  3. In the Application restrictions section, select HTTP referrers.

  4. For each restriction that you want to add, click Add an item, enterthe restriction, and click Done.

  5. Click Save to save your changes and return to the API key list.


  1. Get the ID of the key that you want to restrict.

    The ID is not the same as the display name or the key string. You can getthe ID by using thegcloud services api-keys list commandto list the keys in your project.

  2. Use thegcloud services api-keys update commandto add HTTP referrer restrictions to an API key.

    Replace the following values:

    • KEY_ID: The ID of the key that you want torestrict.
    • ALLOWED_REFERRER_1: Your HTTP referrerrestriction.

      You can add as many restrictions as needed; use commas to separatethe restrictions. You must provide all referrer restrictions with theupdate command; the referrer restrictions provided replace any existingreferrer restrictions on the key.

    gcloud services api-keys update KEY_ID \ --allowed-referrers="ALLOWED_REFERRER_1"


To run this sample, you must install thegoogle-cloud-apikeys client library.

import;import;import;import;import;import;import;import java.util.concurrent.ExecutionException;import java.util.concurrent.TimeUnit;import java.util.concurrent.TimeoutException;public class RestrictApiKeyHttp { public static void main(String[] args) throws IOException, ExecutionException, InterruptedException, TimeoutException { // TODO(Developer): Before running this sample, // 1. Replace the variable(s) below. String projectId = "GOOGLE_CLOUD_PROJECT_ID"; // ID of the key to restrict. This ID is auto-created during key creation. // This is different from the key string. To obtain the key_id, // you can also use the lookup api: client.lookupKey() String keyId = "key_id"; restrictApiKeyHttp(projectId, keyId); } // Restricts an API key. To restrict the websites that can use your API key, // you add one or more HTTP referrer restrictions. public static void restrictApiKeyHttp(String projectId, String keyId) throws IOException, ExecutionException, InterruptedException, TimeoutException { // Initialize client that will be used to send requests. This client only needs to be created // once, and can be reused for multiple requests. After completing all of your requests, call // the `apiKeysClient.close()` method on the client to safely // clean up any remaining background resources. try (ApiKeysClient apiKeysClient = ApiKeysClient.create()) { // Restrict the API key usage to specific websites by adding them // to the list of allowed_referrers. Restrictions restrictions = Restrictions.newBuilder() .setBrowserKeyRestrictions(BrowserKeyRestrictions.newBuilder() .addAllowedReferrers("*") .build()) .build(); Key key = Key.newBuilder() .setName(String.format("projects/%s/locations/global/keys/%s", projectId, keyId)) // Set the restriction(s). // For more information on API key restriction, see: // .setRestrictions(restrictions) .build(); // Initialize request and set arguments. UpdateKeyRequest updateKeyRequest = UpdateKeyRequest.newBuilder() .setKey(key) .setUpdateMask(FieldMask.newBuilder().addPaths("restrictions").build()) .build(); // Make the request and wait for the operation to complete. Key result = apiKeysClient.updateKeyAsync(updateKeyRequest).get(3, TimeUnit.MINUTES); // For authenticating with the API key, use the value in "result.getKeyString()". System.out.printf("Successfully updated the API key: %s", result.getName()); } }}


To run this sample, you must install theAPI Keys client library.

from import api_keys_v2from import Keydef restrict_api_key_http(project_id: str, key_id: str) -> Key: """ Restricts an API key. To restrict the websites that can use your API key, you add one or more HTTP referrer restrictions. TODO(Developer): Replace the variables before running this sample. Args: project_id: Google Cloud project id. key_id: ID of the key to restrict. This ID is auto-created during key creation. This is different from the key string. To obtain the key_id, you can also use the lookup api: client.lookup_key() Returns: response: Returns the updated API Key. """ # Create the API Keys client. client = api_keys_v2.ApiKeysClient() # Restrict the API key usage to specific websites by adding them to the list of allowed_referrers. browser_key_restrictions = api_keys_v2.BrowserKeyRestrictions() browser_key_restrictions.allowed_referrers = ["*"] # Set the API restriction. # For more information on API key restriction, see: # restrictions = api_keys_v2.Restrictions() restrictions.browser_key_restrictions = browser_key_restrictions key = api_keys_v2.Key() = f"projects/{project_id}/locations/global/keys/{key_id}" key.restrictions = restrictions # Initialize request and set arguments. request = api_keys_v2.UpdateKeyRequest() request.key = key request.update_mask = "restrictions" # Make the request and wait for the operation to complete. response = client.update_key(request=request).result() print(f"Successfully updated the API key: {}") # Use response.key_string to authenticate. return response


  1. Get the ID of the key that you want to restrict.

    The ID is not the same as the display name or the key string. You can getthe ID by using thekeys.listmethod. The ID is listed in the uid field of the response.

    Replace PROJECT_ID with your Google Cloud projectID or name.

    curl -X GET \-H "Authorization: Bearer $(gcloud auth print-access-token)" \""
  2. Use thekeys.patchmethod to add HTTP referrer restrictions to the API key.

    This requestreturns a long-running operation; you must poll the operation toknow when the operation completes and get the operation status.

    Replace the following values:

    • ALLOWED_REFERRER_1: Your HTTP referrerrestriction.

      You can add as many restrictions as needed; use commas to separatethe restrictions. You must provide all referrer restrictions with therequest; the referrer restrictions provided replace any existingreferrer restrictions on the key.

    • PROJECT_ID: Your Google Cloud project ID orname.

    • KEY_ID: The ID of the key that you want torestrict.

    curl -X PATCH \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Content-Type: application/json; charset=utf-8" \--data '{"restrictions" : {"browserKeyRestrictions": { "allowedReferrers": ["ALLOWED_REFERRER_1"]}}}' \""

For more information about adding HTTP referrer restrictions to a key usingthe REST API, seeAdding browser restrictionsin the API Keys API documentation.

IP Addresses

You can specify one or more IP addresses of the callers, such as a webserver or cron job, that are allowed to use your API key. You can specify theIP addresses in any of the following formats:

  • IPv4 (
  • IPv6 (2001:db8::1)
  • A subnet using CIDR notation (, 2001:db8::/64)

Using localhost is not supported for server restrictions.

To restrict your API key to specific IP addresses, use one of the followingoptions:


  1. In the Google Cloud console, go to the Credentials page:

    Go to Credentials

  2. Click the name of the API key that you want to restrict.

  3. In the Application restrictions section, select IP addresses.

  4. For each IP address that you want to add, click Add an item, enterthe address, and click Done.

  5. Click Save to save your changes and return to the API key list.


  1. Get the ID of the key that you want to restrict.

    The ID is not the same as the display name or the key string. You can getthe ID by using thegcloud services api-keys list commandto list the keys in your project.

  2. Use thegcloud services api-keys update commandto add server (IP address) restrictions to an API key.

    Replace the following values:

    • KEY_ID: The ID of the key that you want torestrict.
    • ALLOWED_IP_ADDR_1: Your allowed IP address.

      You can add as many IP addresses as needed; use commas to separatethe addresses.

    gcloud services api-keys update KEY_ID \--allowed-ips="ALLOWED_IP_ADDR_1"


To run this sample, you must install thegoogle-cloud-apikeys client library.

import;import;import;import;import;import;import;import java.util.Arrays;import java.util.concurrent.ExecutionException;import java.util.concurrent.TimeUnit;import java.util.concurrent.TimeoutException;public class RestrictApiKeyServer { public static void main(String[] args) throws IOException, ExecutionException, InterruptedException, TimeoutException { // TODO(Developer): Before running this sample, // 1. Replace the variable(s) below. String projectId = "GOOGLE_CLOUD_PROJECT_ID"; // ID of the key to restrict. This ID is auto-created during key creation. // This is different from the key string. To obtain the key_id, // you can also use the lookup api: client.lookupKey() String keyId = "key_id"; restrictApiKeyServer(projectId, keyId); } // Restricts the API key based on IP addresses. You can specify one or more IP addresses // of the callers, for example web servers or cron jobs, that are allowed to use your API key. public static void restrictApiKeyServer(String projectId, String keyId) throws IOException, ExecutionException, InterruptedException, TimeoutException { // Initialize client that will be used to send requests. This client only needs to be created // once, and can be reused for multiple requests. After completing all of your requests, call // the `apiKeysClient.close()` method on the client to safely // clean up any remaining background resources. try (ApiKeysClient apiKeysClient = ApiKeysClient.create()) { // Restrict the API key usage by specifying the IP addresses. // You can specify the IP addresses in IPv4 or IPv6 or a subnet using CIDR notation. Restrictions restrictions = Restrictions.newBuilder() .setServerKeyRestrictions(ServerKeyRestrictions.newBuilder() .addAllAllowedIps(Arrays.asList("", "2000:db8::/64")) .build()) .build(); Key key = Key.newBuilder() .setName(String.format("projects/%s/locations/global/keys/%s", projectId, keyId)) // Set the restriction(s). // For more information on API key restriction, see: // .setRestrictions(restrictions) .build(); // Initialize request and set arguments. UpdateKeyRequest updateKeyRequest = UpdateKeyRequest.newBuilder() .setKey(key) .setUpdateMask(FieldMask.newBuilder().addPaths("restrictions").build()) .build(); // Make the request and wait for the operation to complete. Key result = apiKeysClient.updateKeyAsync(updateKeyRequest).get(3, TimeUnit.MINUTES); // For authenticating with the API key, use the value in "result.getKeyString()". System.out.printf("Successfully updated the API key: %s", result.getName()); } }}


To run this sample, you must install theAPI Keys client library.

from import api_keys_v2from import Keydef restrict_api_key_server(project_id: str, key_id: str) -> Key: """ Restricts the API key based on IP addresses. You can specify one or more IP addresses of the callers, for example web servers or cron jobs, that are allowed to use your API key. TODO(Developer): Replace the variables before running this sample. Args: project_id: Google Cloud project id. key_id: ID of the key to restrict. This ID is auto-created during key creation. This is different from the key string. To obtain the key_id, you can also use the lookup api: client.lookup_key() Returns: response: Returns the updated API Key. """ # Create the API Keys client. client = api_keys_v2.ApiKeysClient() # Restrict the API key usage by specifying the IP addresses. # You can specify the IP addresses in IPv4 or IPv6 or a subnet using CIDR notation. server_key_restrictions = api_keys_v2.ServerKeyRestrictions() server_key_restrictions.allowed_ips = ["", "2000:db8::/64"] # Set the API restriction. # For more information on API key restriction, see: # restrictions = api_keys_v2.Restrictions() restrictions.server_key_restrictions = server_key_restrictions key = api_keys_v2.Key() = f"projects/{project_id}/locations/global/keys/{key_id}" key.restrictions = restrictions # Initialize request and set arguments. request = api_keys_v2.UpdateKeyRequest() request.key = key request.update_mask = "restrictions" # Make the request and wait for the operation to complete. response = client.update_key(request=request).result() print(f"Successfully updated the API key: {}") # Use response.key_string to authenticate. return response


  1. Get the ID of the key that you want to restrict.

    The ID is not the same as the display name or the key string. You can getthe ID by using thekeys.listmethod. The ID is listed in the uid field of the response.

    Replace PROJECT_ID with your Google Cloud project IDor name.

    curl -X GET \-H "Authorization: Bearer $(gcloud auth print-access-token)" \""
  2. Use thekeys.patchmethod to add server (IP address) restrictions to an API key.

    This requestreturns a long-running operation; you must poll the operation toknow when the operation completes and get the operation status.

    Replace the following values:

    • ALLOWED_IP_ADDR_1: Your allowed IP address.

      You can add as many IP addresses as needed; use commas to separatethe restrictions. You must provide all IP addresses with therequest; the referrer restrictions provided replace any existingIP address restrictions on the key.

    • PROJECT_ID: Your Google Cloud project ID orname.

    • KEY_ID: The ID of the key that you want torestrict.

    curl -X PATCH \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Content-Type: application/json; charset=utf-8" \--data '{"restrictions" : { "serverKeyRestrictions": { "allowedIps": ["ALLOWED_IP_ADDR_1"] }}}' \""

For more information about adding IP address restrictions to a key using theREST API, seeAdding server restrictionsin the API Keys API documentation.

Android apps

You can restrict usage of an API key to specific Android apps. You must providethe package name and the 20-byte SHA-1 certificate fingerprint for each app.

When you use the API key in a request, you must specify the package nameand certificate fingerprint by using the following HTTP headers:

  • X-Android-Package
  • X-Android-Cert

To restrict your API key to one or more Android apps, use one of the followingoptions:


  1. In the Google Cloud console, go to the Credentials page:

    Go to Credentials

  2. Click the name of the API key that you want to restrict.

  3. In the Application restrictions section, select Android apps.

  4. For each Android app that you want to add, click Add an item and enterthe package name and SHA-1 certificate fingerprint, then click Done.

  5. Click Save to save your changes and return to the API key list.


  1. Get the ID of the key that you want to restrict.

    The ID is not the same as the display name or the key string. You can getthe ID by using thegcloud services api-keys list commandto list the keys in your project.

  2. Use thegcloud services api-keys update commandto specify the Android apps that can use an API key.

    Replace the following values:

    • KEY_ID: The ID of the key that you want torestrict.
    • SHA1_FINGERPRINT andPACKAGE_NAME: The appinformation for an Android app that can use the key.

      You can add as many apps as needed; use additional--allowed-application flags.

    gcloud services api-keys update KEY_ID \--allowed-application=sha1_fingerprint=SHA1_FINGERPRINT_1,package_name=PACKAGE_NAME_1 \--allowed-application=sha1_fingerprint=SHA1_FINGERPRINT_2,package_name=PACKAGE_NAME_2


To run this sample, you must install thegoogle-cloud-apikeys client library.

import;import;import;import;import;import;import;import;import java.util.concurrent.ExecutionException;import java.util.concurrent.TimeUnit;import java.util.concurrent.TimeoutException;public class RestrictApiKeyAndroid { public static void main(String[] args) throws IOException, ExecutionException, InterruptedException, TimeoutException { // TODO(Developer): Before running this sample, // 1. Replace the variable(s) below. String projectId = "GOOGLE_CLOUD_PROJECT_ID"; // ID of the key to restrict. This ID is auto-created during key creation. // This is different from the key string. To obtain the key_id, // you can also use the lookup api: client.lookupKey() String keyId = "key_id"; restrictApiKeyAndroid(projectId, keyId); } // Restricts an API key based on android applications. // Specifies the Android application that can use the key. public static void restrictApiKeyAndroid(String projectId, String keyId) throws IOException, ExecutionException, InterruptedException, TimeoutException { // Initialize client that will be used to send requests. This client only needs to be created // once, and can be reused for multiple requests. After completing all of your requests, call // the `apiKeysClient.close()` method on the client to safely // clean up any remaining background resources. try (ApiKeysClient apiKeysClient = ApiKeysClient.create()) { // Restrict the API key usage by specifying the allowed android applications. Restrictions restrictions = Restrictions.newBuilder() .setAndroidKeyRestrictions(AndroidKeyRestrictions.newBuilder() .addAllowedApplications(AndroidApplication.newBuilder() // Specify the android application's package name and SHA1 fingerprint. .setPackageName("") .setSha1Fingerprint("0873D391E987982FBBD30873D391E987982FBBD3") .build()) .build()) .build(); Key key = Key.newBuilder() .setName(String.format("projects/%s/locations/global/keys/%s", projectId, keyId)) // Set the restriction(s). // For more information on API key restriction, see: // .setRestrictions(restrictions) .build(); // Initialize request and set arguments. UpdateKeyRequest updateKeyRequest = UpdateKeyRequest.newBuilder() .setKey(key) .setUpdateMask(FieldMask.newBuilder().addPaths("restrictions").build()) .build(); // Make the request and wait for the operation to complete. Key result = apiKeysClient.updateKeyAsync(updateKeyRequest).get(3, TimeUnit.MINUTES); // For authenticating with the API key, use the value in "result.getKeyString()". System.out.printf("Successfully updated the API key: %s", result.getName()); } }}


To run this sample, you must install theAPI Keys client library.

from import api_keys_v2from import Keydef restrict_api_key_android(project_id: str, key_id: str) -> Key: """ Restricts an API key based on android applications. Specifies the Android application that can use the key. TODO(Developer): Replace the variables before running this sample. Args: project_id: Google Cloud project id. key_id: ID of the key to restrict. This ID is auto-created during key creation. This is different from the key string. To obtain the key_id, you can also use the lookup api: client.lookup_key() Returns: response: Returns the updated API Key. """ # Create the API Keys client. client = api_keys_v2.ApiKeysClient() # Specify the android application's package name and SHA1 fingerprint. allowed_application = api_keys_v2.AndroidApplication() allowed_application.package_name = "" allowed_application.sha1_fingerprint = "0873D391E987982FBBD30873D391E987982FBBD3" # Restrict the API key usage by specifying the allowed applications. android_key_restriction = api_keys_v2.AndroidKeyRestrictions() android_key_restriction.allowed_applications = [allowed_application] # Set the restriction(s). # For more information on API key restriction, see: # restrictions = api_keys_v2.Restrictions() restrictions.android_key_restrictions = android_key_restriction key = api_keys_v2.Key() = f"projects/{project_id}/locations/global/keys/{key_id}" key.restrictions = restrictions # Initialize request and set arguments. request = api_keys_v2.UpdateKeyRequest() request.key = key request.update_mask = "restrictions" # Make the request and wait for the operation to complete. response = client.update_key(request=request).result() print(f"Successfully updated the API key: {}") # Use response.key_string to authenticate. return response


  1. Get the ID of the key that you want to restrict.

    The ID is not the same as the display name or the key string. You can getthe ID by using thekeys.listmethod. The ID is listed in the uid field of the response.

    Replace PROJECT_ID with your Google Cloud projectID or name.

    curl -X GET \-H "Authorization: Bearer $(gcloud auth print-access-token)" \""
  2. Use thekeys.patchmethod to specify the Android apps that can use an API key.

    This requestreturns a long-running operation; you must poll the operation toknow when the operation completes and get the operation status.

    Replace the following values:

    • SHA1_FINGERPRINT_1 andPACKAGE_NAME_1: The appinformation for an Android app that can use the key.

      You can add the information for as many apps as needed; use commas toseparate theAndroidApplicationobjects. You must provide all applications with the request; theapplications provided replace any existing allowed applications on thekey.

    • PROJECT_ID: Your Google Cloud project ID orname.

    • KEY_ID: The ID of the key that you want torestrict.

    curl -X PATCH \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Content-Type: application/json; charset=utf-8" \--data '{"restrictions" : {"androidKeyRestrictions": { "allowedApplications": [ { "sha1Fingerprint": "SHA1_FINGERPRINT_1", "packageName": "PACKAGE_NAME_1" }, ]}}}' \""

For more information about adding Android app restrictions to a key using theREST API, seeAdding Android restrictionsin the API Keys API documentation.

iOS apps

You can restrict usage of an API key to specific iOS apps by providing thebundle ID of each app.

When you use the API key in a request, you must specify the bundle ID by usingthe X-Ios-Bundle-Identifier HTTP header.

To restrict your API key to one or more iOS apps, use one of the followingoptions:


  1. In the Google Cloud console, go to the Credentials page:

    Go to Credentials

  2. Click the name of the API key that you want to restrict.

  3. In the Application restrictions section, select iOS apps.

  4. For each iOS app that you want to add, click Add an item and enterthe bundle ID, then click Done.

  5. Click Save to save your changes and return to the API key list.


  1. Get the ID of the key that you want to restrict.

    The ID is not the same as the display name or the key string. You can getthe ID by using thegcloud services api-keys list commandto list the keys in your project.

  2. Use thegcloud services api-keys updatemethod to specify the iOS apps that can use the key.

    Replace the following values:

    • KEY_ID: The ID of the key that you want torestrict.
    • ALLOWED_BUNDLE_ID: The bundle ID of an iOS appthat you want to be able to use this API key.

      You can add as many bundle IDs as needed; use commas to separate theIDs.

    gcloud services api-keys update KEY_ID \--allowed-bundle-ids=ALLOWED_BUNDLE_ID_1,ALLOWED_BUNDLE_ID_2


To run this sample, you must install thegoogle-cloud-apikeys client library.

import;import;import;import;import;import;import;import java.util.Arrays;import java.util.concurrent.ExecutionException;import java.util.concurrent.TimeUnit;import java.util.concurrent.TimeoutException;public class RestrictApiKeyIos { public static void main(String[] args) throws IOException, ExecutionException, InterruptedException, TimeoutException { // TODO(Developer): Before running this sample, // 1. Replace the variable(s) below. String projectId = "GOOGLE_CLOUD_PROJECT_ID"; // ID of the key to restrict. This ID is auto-created during key creation. // This is different from the key string. To obtain the key_id, // you can also use the lookup api: client.lookupKey() String keyId = "key_id"; restrictApiKeyIos(projectId, keyId); } // Restricts an API key. You can restrict usage of an API key to specific iOS apps // by providing the bundle ID of each app. public static void restrictApiKeyIos(String projectId, String keyId) throws IOException, ExecutionException, InterruptedException, TimeoutException { // Initialize client that will be used to send requests. This client only needs to be created // once, and can be reused for multiple requests. After completing all of your requests, call // the `apiKeysClient.close()` method on the client to safely // clean up any remaining background resources. try (ApiKeysClient apiKeysClient = ApiKeysClient.create()) { // Restrict the API key usage by specifying the bundle ID(s) // of iOS app(s) that can use the key. Restrictions restrictions = Restrictions.newBuilder() .setIosKeyRestrictions(IosKeyRestrictions.newBuilder() .addAllAllowedBundleIds(Arrays.asList("", "")) .build()) .build(); Key key = Key.newBuilder() .setName(String.format("projects/%s/locations/global/keys/%s", projectId, keyId)) // Set the restriction(s). // For more information on API key restriction, see: // .setRestrictions(restrictions) .build(); // Initialize request and set arguments. UpdateKeyRequest updateKeyRequest = UpdateKeyRequest.newBuilder() .setKey(key) .setUpdateMask(FieldMask.newBuilder().addPaths("restrictions").build()) .build(); // Make the request and wait for the operation to complete. Key result = apiKeysClient.updateKeyAsync(updateKeyRequest).get(3, TimeUnit.MINUTES); // For authenticating with the API key, use the value in "result.getKeyString()". System.out.printf("Successfully updated the API key: %s", result.getName()); } }}


To run this sample, you must install theAPI Keys client library.

from import api_keys_v2from import Keydef restrict_api_key_ios(project_id: str, key_id: str) -> Key: """ Restricts an API key. You can restrict usage of an API key to specific iOS apps by providing the bundle ID of each app. TODO(Developer): Replace the variables before running this sample. Args: project_id: Google Cloud project id. key_id: ID of the key to restrict. This ID is auto-created during key creation. This is different from the key string. To obtain the key_id, you can also use the lookup api: client.lookup_key() Returns: response: Returns the updated API Key. """ # Create the API Keys client. client = api_keys_v2.ApiKeysClient() # Restrict the API key usage by specifying the bundle ID(s) of iOS app(s) that can use the key. ios_key_restrictions = api_keys_v2.IosKeyRestrictions() ios_key_restrictions.allowed_bundle_ids = ["", ""] # Set the API restriction. # For more information on API key restriction, see: # restrictions = api_keys_v2.Restrictions() restrictions.ios_key_restrictions = ios_key_restrictions key = api_keys_v2.Key() = f"projects/{project_id}/locations/global/keys/{key_id}" key.restrictions = restrictions # Initialize request and set arguments. request = api_keys_v2.UpdateKeyRequest() request.key = key request.update_mask = "restrictions" # Make the request and wait for the operation to complete. response = client.update_key(request=request).result() print(f"Successfully updated the API key: {}") # Use response.key_string to authenticate. return response


  1. Get the ID of the key that you want to restrict.

    The ID is not the same as the display name or the key string. You can getthe ID by using thekeys.listmethod. The ID is listed in the uid field of the response.

    Replace PROJECT_ID with your Google Cloud projectID or name.

    curl -X GET \-H "Authorization: Bearer $(gcloud auth print-access-token)" \""
  2. Use thekeys.patchmethod to specify the iOS apps that can use an API key.

    This requestreturns a long-running operation; you must poll the operation toknow when the operation completes and get the operation status.

    Replace the following values:

    • ALLOWED_BUNDLE_ID: The bundle ID of an iOS appthat can use the key.

      You can add the information for as many apps as needed; use commas toseparate the bundle IDs. You must provide all bundle IDs with therequest; the bundle IDs provided replace any existing allowedapplications on the key.

    • PROJECT_ID: Your Google Cloud project ID orname.

    • KEY_ID: The ID of the key that you want torestrict.

    curl -X PATCH \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Content-Type: application/json; charset=utf-8" \--data '{"restrictions" : {"iosKeyRestrictions": { "allowedBundleIds": ["ALLOWED_BUNDLE_ID_1","ALLOWED_BUNDLE_ID_2"]}}}' \""

For more information about adding iOS app restrictions to a key using the RESTAPI, seeAdding iOS restrictionsin the API Keys API documentation.

Add API restrictions

API restrictions specify which APIs can be called using the API key.

To add API restrictions, use one of the following options:


  1. In the Google Cloud console, go to the Credentials page:

    Go to Credentials

  2. Click the name of the API key that you want to restrict.

  3. In the API restrictions section, click Restrict key.

  4. Select all APIs that your API key will be used to access.

  5. Click Save to save your changes and return to the API key list.


  1. Get the ID of the key that you want to restrict.

    The ID is not the same as the display name or the key string. You can getthe ID by using thegcloud services api-keys list commandto list the keys in your project.

  2. Use thegcloud services api-keys update commandto specify which services an API key can be used to authenticate to.

    Replace the following values:

    • KEY_ID: The ID of the key that you want torestrict.
    • SERVICE_1, SERVICE_2...:The service names of the APIs that the key can be used to access.

      You must provide all service names with the update command; the servicenames provided replace any existing services on the key.

    You can find the service name by searching for the API on theAPI dashboard. Servicenames are strings like

    gcloud services api-keys update KEY_ID \--api-target=service=SERVICE_1 --api-target=service=SERVICE_2


To run this sample, you must install thegoogle-cloud-apikeys client library.

import;import;import;import;import;import;import;import java.util.concurrent.ExecutionException;import java.util.concurrent.TimeUnit;import java.util.concurrent.TimeoutException;public class RestrictApiKeyApi { public static void main(String[] args) throws IOException, ExecutionException, InterruptedException, TimeoutException { // TODO(Developer): Before running this sample, // 1. Replace the variable(s) below. String projectId = "GOOGLE_CLOUD_PROJECT_ID"; // ID of the key to restrict. This ID is auto-created during key creation. // This is different from the key string. To obtain the key_id, // you can also use the lookup api: client.lookupKey() String keyId = "key_id"; restrictApiKeyApi(projectId, keyId); } // Restricts an API key. Restrictions specify which APIs can be called using the API key. public static void restrictApiKeyApi(String projectId, String keyId) throws IOException, ExecutionException, InterruptedException, TimeoutException { // Initialize client that will be used to send requests. This client only needs to be created // once, and can be reused for multiple requests. After completing all of your requests, call // the `apiKeysClient.close()` method on the client to safely // clean up any remaining background resources. try (ApiKeysClient apiKeysClient = ApiKeysClient.create()) { // Restrict the API key usage by specifying the target service and methods. // The API key can only be used to authenticate the specified methods in the service. Restrictions restrictions = Restrictions.newBuilder() .addApiTargets(ApiTarget.newBuilder() .setService("") .addMethods("") .build()) .build(); Key key = Key.newBuilder() .setName(String.format("projects/%s/locations/global/keys/%s", projectId, keyId)) // Set the restriction(s). // For more information on API key restriction, see: // .setRestrictions(restrictions) .build(); // Initialize request and set arguments. UpdateKeyRequest updateKeyRequest = UpdateKeyRequest.newBuilder() .setKey(key) .setUpdateMask(FieldMask.newBuilder().addPaths("restrictions").build()) .build(); // Make the request and wait for the operation to complete. Key result = apiKeysClient.updateKeyAsync(updateKeyRequest).get(3, TimeUnit.MINUTES); // For authenticating with the API key, use the value in "result.getKeyString()". System.out.printf("Successfully updated the API key: %s", result.getName()); } }}


To run this sample, you must install theAPI Keys client library.

from import api_keys_v2from import Keydef restrict_api_key_api(project_id: str, key_id: str) -> Key: """ Restricts an API key. Restrictions specify which APIs can be called using the API key. TODO(Developer): Replace the variables before running the sample. Args: project_id: Google Cloud project id. key_id: ID of the key to restrict. This ID is auto-created during key creation. This is different from the key string. To obtain the key_id, you can also use the lookup api: client.lookup_key() Returns: response: Returns the updated API Key. """ # Create the API Keys client. client = api_keys_v2.ApiKeysClient() # Restrict the API key usage by specifying the target service and methods. # The API key can only be used to authenticate the specified methods in the service. api_target = api_keys_v2.ApiTarget() api_target.service = "" api_target.methods = [""] # Set the API restriction(s). # For more information on API key restriction, see: # restrictions = api_keys_v2.Restrictions() restrictions.api_targets = [api_target] key = api_keys_v2.Key() = f"projects/{project_id}/locations/global/keys/{key_id}" key.restrictions = restrictions # Initialize request and set arguments. request = api_keys_v2.UpdateKeyRequest() request.key = key request.update_mask = "restrictions" # Make the request and wait for the operation to complete. response = client.update_key(request=request).result() print(f"Successfully updated the API key: {}") # Use response.key_string to authenticate. return response


  1. Get the ID of the key that you want to restrict.

    The ID is not the same as the display name or the key string. You can getthe ID by using thekeys.listmethod. The ID is listed in the uid field of the response.

    Replace PROJECT_ID with your Google Cloud projectID or name.

    curl -X GET \-H "Authorization: Bearer $(gcloud auth print-access-token)" \""
  2. Use thekeys.patchmethod to specify which services an API key can be used to authenticateto.

    This requestreturns a long-running operation; you must poll the operation toknow when the operation completes and get the operation status.

    Replace the following values:

    • SERVICE_1, SERVICE_2...:The service names of the APIs that the key can be used to access.

      You must provide all service names with the request; the servicenames provided replace any existing services on the key.

      You can find the service name by searching for the API on theAPI dashboard. Servicenames are strings like

    • PROJECT_ID: Your Google Cloud project ID orname.

    • KEY_ID: The ID of the key that you want torestrict.

    curl -X PATCH \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Content-Type: application/json; charset=utf-8" \--data '{"restrictions" : {"apiTargets": [ { "service": "SERVICE_1" }, { "service" : "SERVICE_2" },]}}' \""

For more information about adding API restrictions to a key using the RESTAPI, seeAdding API restrictionsin the API Keys API documentation.

Get project information from a key string

You can determine which Google Cloud project an API key is associated withfrom its string.

Replace KEY_STRING with the key string you need projectinformation for.


You use the gcloud services api-keys lookup command to get the project ID from a key string.

 gcloud services api-keys lookup KEY_STRING 


To run this sample, you must install thegoogle-cloud-apikeys client library.

import;import;import;import;public class LookupApiKey { public static void main(String[] args) throws IOException { // TODO(Developer): Before running this sample, // 1. Replace the variable(s) below. // 2. Set up ADC as described in // 3. Make sure you have the necessary permission to view API keys. // API key string to retrieve the API key name. String apiKeyString = "API_KEY_STRING"; lookupApiKey(apiKeyString); } // Retrieves name (full path) of an API key using the API key string. public static void lookupApiKey(String apiKeyString) throws IOException { // Initialize client that will be used to send requests. This client only needs to be created // once, and can be reused for multiple requests. After completing all of your requests, call // the `apiKeysClient.close()` method on the client to safely // clean up any remaining background resources. try (ApiKeysClient apiKeysClient = ApiKeysClient.create()) { // Initialize the lookup request and set the API key string. LookupKeyRequest lookupKeyRequest = LookupKeyRequest.newBuilder() .setKeyString(apiKeyString) .build(); // Make the request and obtain the response. LookupKeyResponse response = apiKeysClient.lookupKey(lookupKeyRequest); System.out.printf("Successfully retrieved the API key name: %s", response.getName()); } }}


To run this sample, you must install theAPI Keys client library.

from import api_keys_v2def lookup_api_key(api_key_string: str) -> None: """ Retrieves name (full path) of an API key using the API key string. TODO(Developer): 1. Before running this sample, set up ADC as described in 2. Make sure you have the necessary permission to view API keys. Args: api_key_string: API key string to retrieve the API key name. """ # Create the API Keys client. client = api_keys_v2.ApiKeysClient() # Initialize the lookup request and set the API key string. lookup_key_request = api_keys_v2.LookupKeyRequest( key_string=api_key_string, # Optionally, you can also set the etag (version). # etag=etag, ) # Make the request and obtain the response. lookup_key_response = client.lookup_key(lookup_key_request) print(f"Successfully retrieved the API key name: {}")


You use thelookupKey methodto get the project ID from a key string.

curl -X GET \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Content-Type: application/json; charset=utf-8" \""

Undelete an API key

If you delete an API key by mistake, you can undelete (restore) that key within30 days of deleting the key. After 30 days, you cannot undelete the API key.


  1. In the Google Cloud console, go to the Credentials page:

    Go to Credentials

  2. Click Restore deleted credentials.

  3. Find the deleted API key that you want to undelete, and click Restore.

    Undeleting an API key may take a few minutes to propagate. Afterpropagation, the undeleted API key is displayed in the API keys list.


  1. Get the ID of the key that you want to undelete.

    The ID is not the same as the display name or the key string. You can getthe ID by using thegcloud services api-keys list --show-deleted commandto list the deleted keys in your project.

  2. Use thegcloud services api-keys undelete commandto undelete an API key.

    gcloud services api-keys undelete KEY_ID

    Replace the following values:

    • KEY_ID: The ID of the key that you want toundelete.


  1. Get the ID of the key that you want to undelete.

    The ID is not the same as the display name or the key string. You can getthe ID by using thekeys.listmethod, with the showDeleted query parameter set to true.The key ID is listed in the uid field of the response.

    Replace PROJECT_ID with your Google Cloud projectID or name.

    curl -X GET \-H "Authorization: Bearer $(gcloud auth print-access-token)" \""
  2. Use theundeletemethod to undelete the API key.

    curl -X POST \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Content-Type: application/json; charset=utf-8" \""

    This requestreturns a long-running operation; you must poll the operation toknow when the operation completes and get the operation status.

    Replace the following values:

    • PROJECT_ID: Your Google Cloud project ID orname.
    • KEY_ID: The ID of the key that you want torestrict.

Poll long-running operations

API Keys API methods use long-running operations. If you use the REST API tocreate and manage API keys, an operation object is returned from the initialmethod request. You use the operation name to poll the long-running operation.When the long-running request completes, polling the operation returns thedata from the long-running request.

To poll a long-running API Keys API operation, you use theoperations.get method.

Replace OPERATION_NAME with the operation name returnedby the long-running operation. For example,operations/akmf.p7-358517206116-cd10a88a-7740-4403-a8fd-979f3bd7fe1c.

curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ ""

Limits on API keys

You can create up to 300 API keys per project. This limitis a system limit, and cannot be changed using a quota increase request.

If more API keys are needed, you must use more than one project.

What's next

  • See an overview of authentication methods.
  • Learn more about the API Keys API.
Basic Auth and API keys can also be used together. You can pass the API key via Basic Auth as either the username or password. Most implementations pair the API key with a blank value for the unused field (username or password).

How do I use API key for authentication? ›

Basic Auth and API keys can also be used together. You can pass the API key via Basic Auth as either the username or password. Most implementations pair the API key with a blank value for the unused field (username or password).

What is API key authentication for cloud function? ›

The API key ID is used by Google Cloud administrative tools to uniquely identify the key. The key ID cannot be used to authenticate. The key ID can be found in the URL of the key's edit page in the Google Cloud console.

What is the best option for authenticating to a cloud API? ›

HTTP Bearer Authentication: API consumers send API requests with a unique API access token in an HTTP header. API providers then validate the API access token to authenticate API users. This API authentication method is more secure than Basic, as API requests cannot be intercepted easily.

Is API key enough for authentication? ›

API keys aren't as secure as authentication tokens (see Security of API keys), but they identify the application or project that's calling an API. They are generated on the project making the call, and you can restrict their use to an environment such as an IP address range, or an Android or iOS app.

How do I apply API authentication? ›

A common implementation is to access APIs with the OAuth2 client credentials grant type. In this scenario, the API client uses its client ID and client secret to request an access token. The access token is then used on subsequent calls against the protected endpoints to authenticate the API client.

What is the difference between API key and basic authentication? ›

API key-based authentication provides a more secure and scalable alternative to basic authentication, since the API key can be easily revoked or regenerated if it is compromised, and it allows the API provider to monitor and control access to the API more granularly.

What is cloud API key? ›

An Anthropic Claude API key is a unique string of characters that allows you to access Anthropic's Claude large language model (LLM) API.

How does cloud authentication work? ›

The system verifies your claim: It compares your provided credentials to what it already knows about you (e.g., stored passwords, and biometric data). Access granted or denied: If the credentials match, you're considered authenticated and allowed access. If not, you're denied.

How to use cloud API? ›

To enable an API for a project using the console:
  1. Go to the Google Cloud console API Library.
  2. From the projects list, select the project you want to use.
  3. In the API Library, select the API you want to enable. If you need help finding the API, use the search field and/or the filters.
  4. On the API page, click ENABLE.

What is the most common API authentication? ›

Best API authentication protocols
  1. OAuth (Open Authorization) OAuth is an industry-standard authentication protocol that allows secure access to resources on behalf of a user or application. ...
  2. Bearer tokens. Bearer tokens are a simple way to authenticate API requests. ...
  3. API keys. ...
  4. JSON Web Tokens (JWT) ...
  5. Basic authentication.
Oct 25, 2023

Which three methods can be used to authenticate to an API? ›

Here are the three most common methods:
  • HTTP Basic Authentication. The simplest way to handle authentication is through the use of HTTP, where the username and password are sent alongside every API call. ...
  • API Key Authentication. ...
  • OAuth Authentication. ...
  • No Authentication.

What is the difference between API authentication and authorization? ›

It is vital to note the difference here between authentication and authorization. Authentication verifies the user (Lucia) before allowing them access, and authorization determines what they can do once the system has granted them access (view sales information).

What are the disadvantages of API keys? ›

Lack of user context: API keys do not provide user-specific authentication, making it challenging to track and manage individual user access. This limitation can be problematic in scenarios where user-level authorization is required.

What is OAuth vs API key? ›

OAuth security tokens offer exceptional access to user data.

OAuth security tokens excel at enabling developers to manage user data. Whereas standard API key security practices struggle to handle write permissions mixed in with individual user authorizations, OAuth is designed to do just that.

What is an example of an API key? ›

An API key is a token that a client provides when making API calls. The key can be sent in the query string: GET /something? api_key=abcdef12345.

How do you use key based authentication? ›

To use key-based authentication, you first need to generate public/private key pairs for your client. ssh-keygen.exe is used to generate key files and the algorithms DSA, RSA, ECDSA, or Ed25519 can be specified. If no algorithm is specified, RSA is used.

How to use Basic authentication in API? ›

The first step is to base64 encode your credentials (your username and password). If you use the online encoder, follow these steps: In the online encoder, enter your username and password or username and API key, separated by a colon ( accountUsername:accountPassword or accountUsername:apiKey )

How to use API gateway for authentication? ›

Basic API authentication

With basic authentication, a client sends an HTTP request with a username and password encoded in base64. Typically, the API gateway validates the username and password against a predefined list of users and passwords.

How do I use an API key safely? ›

  1. Always use a unique API key for each team member on your account. ...
  2. Never deploy your key in client-side environments like browsers or mobile apps. ...
  3. Never commit your key to your repository. ...
  4. Use Environment Variables in place of your API key. ...
  5. Use a Key Management Service.

