Hi there!
The Google Maps browser key is indeed shown in the code, and that expected and required (see “Use API keys” documentation from Google).
The API Key is expected to be included with every request, as specified in Google’s own documentation:
You must include an API key with every Maps JavaScript API request. In the following example, replace YOUR_API_KEY with your API key.
<script async defer src="https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap"></script>
HTTPS is required for requests that use an API key.
In any case, the server key is not exposed, only the browser key.
If you are still concerned about the browser key being visible, please read through this other document from Google: API Security Best Practices.
I hope that helps.
Regards,
Pt
(@bncpeter)
Thanks @farroyob, I suspected that might be the case. It would be nice if Google’s automated check also checked if the key was a) just a browser key and b) restricted to the relevant domains before pestering me with notices.
Any further thoughts Tijmen?
Hi @bncpeter.
I checked this issue with @tijmensmit and he agrees with me. This is probably Google sending a ton of e-mails to API users so they double check their settings, but nothing has changed and the browser key must be included in the request as explained before.
Regards,
Pt
(@bncpeter)
Great, thanks @farroyob!
Hopefully this saves him some support emails.
