Exposing our API key

Hi @srd75,

Thank you for getting in touch, we do appreciate your time.

Yes, to confirm, the API key is localized on the website to allow us to make calls to the API for common requests, such as geocoding (converting addresses into coordinates), as an example.

With that said, as part of our setup guide, you should have been asked to restrict your key to your website as shown here: Restricting API Access

If you have added your restrictions in the past, your key is fully protected and can only be used on your website. Alternatively, if you have not setup these restrictions, we would highly recommend doing this now, and regenerating your API key for good measure.

I hope this helps?

Yes, that helps, thanks.

Do other plugins do things differently, not exposing the API key in the source code?

Hi @srd75,

Great to hear. Some plugins may only expose the API key as part of the API request, which must be present for the Google Maps API to be loaded.

We believe the emails which some users are receiving at the moment refer to the second localization (inclusion to source) of the key that our plugin makes, which is within the settings object loaded on the site.

We’re currently looking into whether or not that second inclusion is necessary, if not, it will be obscured/removed. This would be done in our next update, to prevent Google from mistakenly sending out the email users are getting regarding their keys.

As mentioned, as long as your key has restrictions present, everything should be fine as the key is only usable on that domain.

OK, thank you, Dylan.

Only a pleasure, have a great day!