Google Developer Console Create Public API Key 7

Please Share

Google Authentication Are you in the process of developing an application designed to incorporate one one or more of the Google APIs? Do you already have an application and want to add Google data to it? Are you having problems understating which type of Google Authentication you need to use?

This post number four in my six part  beginning Google Development series, which started with the post Google Development for beginners and continued with registering a project with Google, and Google Developers console enabling APIs.   Now we are going to look into adding public API key credentials to our project.
You may have seen Googles official  authentication documentation.  While Googles official documentation may be technically sound and valid information, I found it hard to understand when I was new to Google development. In this post I am not going to show you any code what I am going to try and help you understand what a public API is and how to access it using an API key.

In this post we are going to look into creating a public API key to access public Google Data.   In the end I will show you how to use it in a simple HTTP GET.

What is public data?

Public data is data that isn’t owned by anyone. Posts to Google+ that are shared public, the Google Analytics Meta Data API is also public data, there are even Google calendars with holidays that are public. YouTube videos that have been uploaded and set to public are also public data.

In order to access public data on Google you don’t need to be authenticated, but you do need to identify your application in your calls to Google.    We do that by creating a project on Google Developer console and then creating a public API key to access the data we want.

Authenticated is the act of asking a user can I access your data, the user then has the option of accepting and authenticating your application or declining and not being able to use your application.     This form of authentication is used in Oauth2.

So public data is data that is not owned by anyone and there fore we don’t need permission to access it.

Creating a project on Google Developer console

In the previous two posts in this series we looked at first how to registering a project on Google Developers console then we built upon our project in the next post by   enabling APIs the APIs we intended to use in our project.   If you don’t already have a project set up with APIs enabled I suggest you check those posts and come back to this one when you are done.

Creating Public API key

Create Public api key

In the Google Developers console under APIs & auths menu you will find the credentials screen.  From credentials screen click the Add credentials button.   You will have a choice as to which type of credential you would like to create.    Select API key.

As it says an API key identifies your project to Google using a simple API key to check quota and access, for apis like Google translate.

All an API key does really is tell Google that it is your project accessing their API.   Google needs to know who is using there APIs for a lot of reasons not all of them are good.   If someone set up a server or two to just make requests against Googles APIs all day this could cause problems for other users who are using the APIs for good.   That is why we are all given a quota or a number of requests that we are allowed to make to Google APIs before we have to ask permission to access more.

What is quota?

Quota is how many requests you are allowed to make to a Google API without requesting permission to access more.    Most of the Google APIs have a free quota, a number of requests Google lets you make without asking for permission to make more request.   It does not always cost you anything to extend your quota it depends upon the API if you are going to have to pay for permission to make additional requests

We talked deeply about Quotas in the the last post in this series enabling APIs, so I am not going to write the same information again.  If you haven’t read those post you should go back and read up about Quotas.   It is very important to understand how Quota works and how it may affect your project in the future.

Type of key

Type of public api key

The next step will be to choose the Type of API key you will need.     You have four choices and the only use for them is to tell Google the type of application you are using and to help secure your application.

  •  Server key used for requests coming from a server or a native application.
  • Browser key used for requests coming from a website or something hosted online.
  • Android key used for Android applications.
  • iOS Key used for iOS applications.


I am not an Android or iOS developer so I do not feel comfortable explaining how they work.     However if one of my readers has experience with this please let me know we can add information about the Android key and iOS key creation to the article.

We are only going to talk about server keys and browser keys in this post.  A server key and a browser key are pretty much the same thing just different ways of telling Google what type of application you are using, and where the requests are coming from.

Browser key

The first type of key we are going to talk about is a browser key.   The name is slightly misleading in my opinion it should be web server key if you ask me.     If the request is coming from a web server we would want to use a browser key.      If you have a script on your website that when ever a user logs onto your site it fetches a list of the most popular YouTube videos, then you would use a browser key.    This would be a bad idea really, because depending upon how many users you have on your website you would probably blow out your quota quite quickly but its still a good example. If you did want to do this you should run the script on the server once every five minutes or something and save it to a database then serve that information to your users as needed.

Browser key setup

Create public API Browser key On this screen you can fill in the Accept requests from these HTTP referrers (web sites) field to supply the name of your website.   This is to secure your API key, in the unlikely event someone finds your API key they will not be able to make requests to the API unless their requests are also coming from your web server.  http://localhost will also work

The reason we use a browser key instead of a server key is because, if you move the server hosting your website the IP address may change but the domain name won’t.  The browser key will continue to work even if your domain name moves to a different IP.

Server key

The second type of key we are going to talk about is a server key.    A server key is used when the request is either coming from a server or from an unknown location.    If you have an installed application there is no way of knowing what the IP address of the user will be so we use a server key.
Create public API server key

Server key setup

On this screen you can fill in the Request from these server IP address to tell Google about the IP address of the server or servers that will be making the requests, this is to secure your API key.    In the unlikely event someone finds your API key they will not be able to make requests to the API unless their requests are also coming from your server.
However if you are making requests from an installed windows application you wont know the IP address of your users machine, so you can leave this field blank.

By leaving the Request from these server IP address blank you are telling Googles that they should except requests from anywhere.

So a server key are normally used for requests coming from servers and from native windows applications.

The key created

Public api key

Congratulations you should now have an API key that you can use in your request.   It is very important to keep this key secret and secure.  Do not posted it to open source projects, do not share it with other users,  do not release it in your code if a user could view the source and see it.   This includes PHP projects such as WordPress plugins, you will have to tell your user how to create their own API key.

On Novemeber 5, 2014 Google made a change to the terms of use you can find that change here.

The important thing to remember about it is:

  • Asking developers to make reasonable efforts to keep their private keys private and not embed them in open source projects.

You can read my post about my discussion with the author of the change in the Terms of service about how this will affect open source projects. Changes to the Google API terms of service.

No referrer restrictions warning

quota warning Google really wants to keep our API keys secure so if you have not supplied a referrer restrictions in your API key creation you will see a yellow warning symbol reminding you that you should do so.

You don’t have to supply this and in some instances you cant, but it is still a good idea to add one if you can.

Making a request

Since we enabled the YouTube API in the last post lets continue to use that. Lets try and find a list of the most popular public videos on YouTube.

Try and click on the following link.

 "error": {
  "errors": [
    "domain": "usageLimits",
    "reason": "dailyLimitExceededUnreg",
    "message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.",
    "extendedHelp": ""
  "code": 403,
  "message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup."

Now why did we get that error message? The key part of this error message is the statement Continued use requires signup. Google is telling us that we need to be signed up to access the API.

Take your new API key and try and add it to this link. This will only work if you created an API key without supplying the referral because you are probably just going to place it in your current web browser. Sadly I cant give you one that I created myself because that would be against the terms of use that we already discussed.{YOUR_API_KEY}

Bingo we have data. This data is in JSon format. I suggest you look into finding one of the Google client libraries for accessing the API they parse the JSon nicely and make it much easier to work with.


Public data is data that is not owned by anyone and we don’t need to be authenticated to access it.  We looked at how to create two different types of API keys a server key and a browser key, and what the difference between them was. It is most secure to add a referral location when we create a API key to ensure that no one tries to use our quota. Googles terms of use states that we must keep our API key save and secure and not share it with anyone.

API keys do not expire a key created today should work 6 months from now.

I hope this post helped to clear up how to create a public API key and how to use it.   Join me for the next post where we look at how to create Oauth2 credentials.

Please Share

Linda Lawton

About Linda Lawton

My name is Linda Lawton I have more than 20 years experience working as a developer and a database expert. I have been working with several of the Google APIs, since 2012. I helping others in the On-Line community to develop with the Google APIs, by creating my own blog This and my presence on a number of On-Line developer forums lead me to be noticed by the Google Analytics API development team. I was nominated for and recently became one of the first Google Developer Experts for Google Analytics.

Leave a comment

Your email address will not be published. Required fields are marked *

7 thoughts on “Google Developer Console Create Public API Key

  • Amal

    hello thanks for ur article its helpful but i got this error
    daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.

      • Tran Hoang Hiep

        you can explain in detail the error: Daily Limit Exceeded for unauthenticated Use. Continued use requires signup
        We wish you to help. I have read a lot but still have not found the answer. I do not know English is best to read more but I hope you help me understand.

        • Linda Lawton
          Linda Lawton Post author

          In order to access private user data you must be authenticated. For public data you must identify your application. In the case of Private data you need to send an API key to identify your application. When requesting data for a user you must send the access token that gives you access to the users data which also inadvertently identifies your application. In both cases if you don’t send them you will get.

          Daily Limit Exceeded for unauthenticated Use. Continued use requires signup

          Note: Prior to a year or so ago you where allowed to make around 100 requests to a public API before you were locked out by this message. Around a year ago google changed it forcing everyone who wants to access their APIs to create a application on Google Developers console. I still know of one that doesn’t require it but i think its a special case.

          Example: open this in a web browser returns. Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.

          If I create an application on Google Developers console and create a public api key i will then be able to run{YOUR_API_KEY} and get the results.

          Hope this helps.

          • Tran Hoang Hiep

            Thank you. What you share is wonderful!

            This can bring tremendous value to me.

            I also hope to help others while having the same error.

            After reading your reply I realized that there are two types of data.
             It may conflict when using the API key and OAuth 2.0 client IDs keys.

            Is so, each type of data need to configure different keys:

            I am using OAuth 2.0. and I used the 4 steps:

            1. Configure the flow by using function config ()

              $ File = public_path (). “/ Client_secret.json”;
                    $ Client = App :: make ( “Google_Client”);
                    $ Client-> setAuthConfigFile ($ file);
                    $ Client-> setScopes ([
                    // Config refresh_token
                    $ Client-> setIncludeGrantedScopes (true);
                    $ Client-> setAccessType ( “offline”);

                    return $ client;

            2. Functions redirected to Oauth 2.0

             redirect_Oauth2 public function () {
                    $ Client = $ this-> config ();
                    $ Auth_url = $ client-> createAuthUrl ();
                    return redirect (filter_var ($ auth_url, FILTER_SANITIZE_URL));

            3. Function Handle Reponse token.

             handle_token public function (Request $ request) {
                    $ Client = $ this-> config ();
                   // Get the request rediect? Code = Token
                    $ Code = $ request-> code;
                    if (isset ($ code)):
                        $ Client-> authenticate ($ code);
                        $ Client-> getAccessToken ();
                        // Set Session == access_token
                        Session :: put ( “access_token”, $ client-> getAccessToken ());

                        return redirect ( “/ google / index”);
                        return redirect ( “/ google / redirect_oauth2”);

            4. Call API google Plus G + API demo

              getPlus public function () {
                    $ Client = $ this-> config ();
                    // Get the session
                    $ Access_token = Session :: get ( “access_token”);
                    if ($ access_token):
                        $ Client-> setAccessToken ($ access_token);
                        if (! $ client-> isAccessTokenExpired):
                            $ Refresh_token = Session :: get ( “refresh_token”);
                            $ Client-> refreshToken ($ refresh_token);
                            $ Access_token = $ client-> getAccessToken ();

                    // Call API
                    if ($ client-> getAccessToken ()):
                        // API Google_Service_Plus
                        $ Plus = App :: make ( “Google_Service_Plus”);
                        $ User = $ Plus-> people-> get ( “me”);
                        var_dump ($ user);

            – This code gives an error: Daily Limit for unauthenticated ….

            I think there will be many similar mistakes. Do you see something wrong with my code please share.

            A friend or someone reading your answer, as you helped me. They will really appreciate you!

            would like to thank !

          • Trần Hoàng Hiệp

            Hi : Linda Lawton
            thank you Linda Lawton !

            I’ve discovered a lot from php source code.
            I come back to share with one comment.
            Hopefully people will overcome behind:

            How very simple in my php show it:

            $client = new Google_client ()

            var_dump ($ client);

            It returns an instance of the server configuration $ client = null or Auth 2.0.

            After a call to the service api

            $plus = new Google_Services_Plus()

            var_dump ($plus);

            if $plus[“client”][‘config’] == null

            please review the $client configuration.

            If ok to continue.

            attention on the same token $plus[“client”][“token”]

            if the null check $getAccessToken();

            and see $setAccessToken($ token);

            edit until ok.

            will solve the majority of these errors caused by api or client and where judgment was error.

            Here is how to solve from your learning. The answers to questions about public api and select ID