Google API key (AIza...) exposed: restrict it before billing spikes

1. Step 01

   Open Google Cloud Console → APIs & Services → Credentials → click the leaked key.

2. Step 02

   Under "Application restrictions" pick HTTP referrers → add only your production domains. Under "API restrictions" select only the APIs you use.

3. Step 03

   If active abuse is suspected, regenerate the key entirely and update the new value in your env.

Step 01 — Revoke

Kill the leaked credential first

APIs & Services → Credentials → click the API key → Application restrictions: HTTP referrers (web sites) → add yourdomain.com/* and *.yourdomain.com/* → API restrictions: Restrict key → select only Maps SDK / Places API / etc. that you actually use → Save. To regenerate: top-right "Regenerate key".

Step 02 — Rotate

Update the new key in the right place

Server-side env vars only — never in client code, never with NEXT_PUBLIC_.

// Restricted Google API keys are safe in client code.
// Restrict to your domain in Google Cloud Console first.
const map = new google.maps.Map(el, { /* ... */ });

Step 03 — Scan

Confirm nothing else leaked alongside it

Scan to find every Google key in your bundle and confirm restrictions are tight.

How this usually leaks

• 01AIza... key embedded in client JS without any HTTP referrer restriction.
• 02Same key reused across multiple unrelated apps — one leak compromises all.
• 03Key shared in a public GitHub repo for a "tutorial".