How does Google Maps secure their API Key? How to make something similar?

I'm quite certain they use the REFERER URL to determine where the call is coming from. If the domain doesn't match what's assigned to the key, it's an invalid request.

For a practical example, using PHP you can check the domain using $_SERVER['HTTP_REFERER'] to check the referer. If the domain matches, return a valid response. If it doesn't, you can return a 401 Unauthorized or other response.

The API key itself is most probably a one way hash of the domain the key is associated with and a secret only the Google API server knows about. It may contain some other pieces of well-known (to Google of course) information. When you make a request from that domain, the API server takes the domain the request comes from and makes that same one way hash calculation and compares the two values.

For Ajax calls, they most probably use the referrer to get the domain of the document host. While the referrer can be spoofed, ultimately in order to use the API, you need to get Google javascript to execute in the document. At this point, this javascript can verify that indeed the document that invoked the Ajax API call originated from the target server. This is also spoofable of course, provided you have your own DOM implementation or on the fly modification of the script. However, this spoofing needs to happen on the client side and the chances that the website that wants to use Google API will be able to spoof the client software are quite small.

Note that since the API is essentially free, they could've offered anonymous access to their API as well. Apparently Google's intent is not to protect unauthorized access to it, but to ensure that they can gather as much data as possible about that data usage and be able to associate that usage with other data they've collected about the target domain. As such, I wouldn't expect the API key verification to be much more complex than what I described above - the ROI on more advanced approach is too low.

And of course there's also the concern of possible XSS attacks through their API. But I don't believe their API key is tied too much into any anti-XSS code they have.

As my comment says:

The REFERER is spoofable, so it is probably unlikely that Google will use it as a means of verification. See this wikipedia entry.

My guess is that Google probably uses the IP address of the caller along with a DNS lookup. DNS is not really spoofable, as your DNS entries have to be correct for the website to even get to you.

But, even that has its problems, because if a server uses a Round-Robin IP Address DNS setup, Google will be redirected to a different IP address when doing a DNS lookup.

From the FAQ

Note that a key for http://www.mygooglemapssite.com/ will only be accepted when the site is accessed using this address. It will not be accepted if the site is accessed by IP address (eg. http://10.1.2.3/) or by a hostname that is aliased to www.mygooglemapssite.com using a DNS CNAME record.

My guess is that it might be using the Host header that is sent when requesting the page, which would work as normally Google asks you to include it's API script directly into the page. Then that script has access to the headers for the current page and can use that to check.

My guess is backed up with the fact that it does not work for IP addresses or Aliases, which means it isn't doing a DNS check.

THIS method cannot be spoofed, as it must be the correct header to access the page. However, this means that any aliases to the domain will not work.

However, this also means that you MUST provide a Javascript library to access the code, as you can't check this server side, I believe.

I agree with all the points that Franci Penov has listed. I would like to elaborate a little bit on using someone else's API key. Let us assume you register key1 with example.com.

1. First attempt – If anothersite.com has <script src="http://www.google.com/jsapi?key=key1">, Google could check its referrer (hash scheme mentioned) and in this case there is a mismatch. How does evil attacker overcome this, since a lot of people have mentioned that referrer can be spoofed? This does not really apply here. Sure you could send arbitrary headers if you make the request, but how does evil hacker spoof referrer for users on anothersite.com? This is in general not easy. There have been old versions of flash on IE 6 that allowed attacker to set arbitrary headers when making cross domain requests, but in general this is not workable for script src. I am not sure if the included Javascript does any validation of document.location to prevent this (probably not).

2. Second attempt – An evil attacker copies Google Javascript for the API key from mysite.com's page source and then embeds modified javascript on anothersite.com. Now Google can't check anything (the remote IP will be the user's computer, and there isn't a whole lot you or Google can do).

So, if you want to for some reason keep your API key secret (one reason, malicious person can get your key blacklisted/blocked), then don't embed key in client and proxy requests via your server (your application code now has the key).

The reason it works is that you cannot make API calls with javascript. Browser security prevents javascript from making requests anywhere except to the domain that the javascript originated from. Because of this, any API calls from javascript need to be bounced through your server where the API key is stored (the api key is never seen by javascript).