This topic describes how to create an API key for the Maps SDK for Android, add it to your app, and secure the app by restricting the key. You must add an API key to any app that uses the SDK.
Before you begin
Before you start using the Maps SDK for Android, you need a project with a billing account and the Maps SDK for Android enabled. To learn more, see Set up in Cloud Console.
Creating API keys
The API key is a unique identifier that authenticates requests associated with your project for usage and billing purposes. You must have at least one API key associated with your project.
To create an API key:
-
Go to the APIs & Services > Credentials page.
-
On the Credentials page, click Create credentials > API key.
The API key created dialog displays your newly created API key. -
Click Close.
The new API key is listed on the Credentials page under API keys.
(Remember to restrict the API key before using it in production.)
Adding the API key to your app
This section describes how to store your API key so that it can be more securely referenced by
your app. You should not check your API key into your version control system, so we recommend
storing it in the local.properties
file, which is located in the root directory of your
project. For more information about the local.properties
file, see
Gradle properties files.
To streamline this task, you can use the Secrets Gradle Plugin for Android.
To install the plugin and store your API key:
- In Android Studio, open your app-level
build.gradle
file and add the following code to theplugins
element.id 'com.google.secrets_gradle_plugin' version '0.5'
- Save the file and sync your project with Gradle.
- Open the
local.properties
in your project level directory, and then add the following code. ReplaceYOUR_API_KEY
with your API key.MAPS_API_KEY=YOUR_API_KEY
- Save the file and sync your project with Gradle.
- In your
AndroidManifest.xml
file, go tocom.google.android.geo.API_KEY
and update theandroid:value attribute
as follows:<meta-data android:name="com.google.android.geo.API_KEY" android:value="${MAPS_API_KEY}" />
Note: As shown above,
com.google.android.geo.API_KEY
is the recommended metadata name
for the API key. A key with this name can be used to authenticate to multiple
Google Maps-based APIs on the Android platform, including the
Maps SDK for Android. For backwards compatibility, the API also
supports the name com.google.android.maps.v2.API_KEY
. This legacy
name allows authentication to the Android Maps API v2 only. An application can
specify only one of the API key metadata names. If both are specified, the API
throws an exception.
Restricting API keys
Restricting API Keys adds security to your application by ensuring only authorized requests are made with your API Key. We strongly recommend that you follow the instructions to set restrictions for your API Keys. For more information, see API Key best practices.
To restrict an API key:
-
Go to the APIs & Services > Credentials page.
- Select the API key that you want to set a restriction on. The API key property page appears.
- Under Key restrictions, set the following restrictions:
- Application restrictions:
- Select Android apps.
- Click + Add package name and fingerprint.
- Enter your package name and SHA-1 certificate fingerprint. For example:
com.example.android.mapexample
BB:0D:AC:74:D3:21:E1:43:67:71:9B:62:91:AF:A1:66:6E:44:5D:75
For more information, see Getting a SHA-1 fingerprint. - API restrictions:
- Click Restrict key.
- Select Maps SDK for Android from Select APIs dropdown.
If the Maps SDK for Android is not listed, you need to enable it. - To finalize your changes, click Save.
Getting a SHA-1 fingerprint
When you restrict your API key, you must provide the SHA-1 certificate fingerprint of the signing key that was used to sign the application. The fingerprint is a sequence of 20 two-digit hexadecimal numbers separated by colons. There are two certificate types:
keytool
program. Use this certificate when
you are ready to release your app to an app store.Follow the steps below to display a SHA-1 fingerprint using the Keytool command line app.
Displaying the debug certificate fingerprint
Locate your debug keystore file. The file name is
debug.keystore
, and is created the first time you build your project. By default, it is stored in the same directory as your Android Virtual Device (AVD) files:- macOS and Linux:
~/.android/
- Windows Vista and Windows 7:
C:\Users\your_user_name\.android\
- macOS and Linux:
List the SHA-1 fingerprint:
For Linux or macOS, open a terminal window and enter the following:
keytool -list -v -keystore ~/.android/debug.keystore -alias androiddebugkey -storepass android -keypass android
For Windows Vista and Windows 7, run:
keytool -list -v -keystore "%USERPROFILE%\.android\debug.keystore" -alias androiddebugkey -storepass android -keypass android
The output should be similar to the following. The line that begins with SHA1
contains the certificate's SHA-1 fingerprint.
Alias name: androiddebugkey Creation date: Jan 01, 2013 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Android Debug, O=Android, C=US Issuer: CN=Android Debug, O=Android, C=US Serial number: 4aa9b300 Valid from: Mon Jan 01 08:04:04 UTC 2013 until: Mon Jan 01 18:04:04 PST 2033 Certificate fingerprints: MD5: AE:9F:95:D0:A6:86:89:BC:A8:70:BA:34:FF:6A:AC:F9 SHA1: BB:0D:AC:74:D3:21:E1:43:07:71:9B:62:90:AF:A1:66:6E:44:5D:75 Signature algorithm name: SHA1withRSA Version: 3
Displaying the release certificate fingerprint
-
Locate your release certificate keystore file. There is no default location or name for the release keystore. If you don't specify one when you build your app for release, the build will leave your
.apk
unsigned, and you'll have to sign it before you can publish it. For the release certificate, you also need the certificate's alias and the passwords for the keystore and the certificate. You can list the aliases for all the keys in a keystore by entering:keytool -list -keystore your_keystore_name
Replace
your_keystore_name
with the fully-qualified path and name of the keystore, including the.keystore
extension. You'll be prompted for the keystore's password. Thenkeytool
displays all the aliases in the keystore. -
Enter the following at a terminal or command prompt:
keytool -list -v -keystore your_keystore_name -alias your_alias_name
Replace
your_keystore_name
with the fully-qualified path and name of the keystore, including the.keystore
extension. Replaceyour_alias_name
with the alias that you assigned to the certificate when you created it.
The output should be similar to the following. The line that begins with SHA1
contains the certificate's SHA-1 fingerprint.
Alias name: <alias_name> Creation date: Feb 02, 2013 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Android Debug, O=Android, C=US Issuer: CN=Android Debug, O=Android, C=US Serial number: 4cc9b300 Valid from: Mon Feb 02 08:01:04 UTC 2013 until: Mon Feb 02 18:05:04 PST 2033 Certificate fingerprints: MD5: AE:9F:95:D0:A6:86:89:BC:A8:70:BA:34:FF:6B:AC:F9 SHA1: BB:0D:AC:74:D3:21:E1:43:67:71:9B:62:90:AF:A1:66:6E:44:5D:75 Signature algorithm name: SHA1withRSA Version: 3
For more information about digital certificates, see the Sign your app guide.