Google maps API key HTTP restriction causes 403 error in geocoding API

0
votes

I receive a 403 error in google maps API dashboard for the geocoding API after limiting the key to my domain. The geocoding works when the key is unrestricted. Currently I have the following as acceptable HTTP referrers:

This allows my basic javascript map and autocomplete forms to work on HTML pages. However, the geocoding is done through a python script that accesses website.com/markers (has no HTML page, just displays JSON data if you visit it). Is there a reason it will not work? The 403 error is what I see in the API dashboard, but I receive an internal server error message when visiting website.com/markers. When unrestricted, the dashboard shows response code 200 and I can see the correct JSON data. Therefore, I believe my code is not the issue.

Things I have tried:

  • Allowing “https://website.com/markers” as a referrer, as well as www. version of that, and http versions. Also used versions without http or https.
  • Changing to allow IP address of website (referrer not allowed error happens when I do this)
  • Double checking all references to API key in code. Code works in development and in production when unrestricted.
  • Double checked that all needed services are enabled in Google api console and not over quotas.

I have searched for this issue for hours and cannot find an answer, please go easy on me if I have overlooked something simple.

2
google-mapsgoogle-maps-api-3google-geocoding-api

2 Answers

1
votes

It sounds like you're trying to use the method of URL restriction intended for use with client-side web api's. In that case, the public URL of the site is used in the validation.

You want to use the IP address validation, intended for server-side calls.

The following is from https://developers.google.com/maps/faq#keysystem:

API Key: An API key is a unique identifier that you generate using the Google API Console. API keys are generally used with the standard APIs. Premium Plan customers1 typically can choose to use a client ID or an API key. You can choose to use an API key without applying restrictions (called a “generic API key”) or a key with restrictions applied for greater security. APIs in any platform may use a generic API key.

You can optionally add a restriction (for example, IP address) to the API key. Once restricted, a key will only work on platforms that support that type of restriction. Four types of API key restrictions are available:

  • IP addresses (individual servers) - for use with the web service APIs.

  • HTTP referrers (web sites) - for use with the Web APIs.

  • Android app restriction (by package name and fingerprint) - for use with the Android APIs.

  • iOS app restriction (by iOS bundle identifier) - for use with the iOS APIs.

1
votes

You need a different key for the webservices. You can't apply both HTTP and IP restrictions on the same key. You need HTTP Restrictions on your Google Maps Javascript API v3 key and IP Restrictions on your web service key.