Google provides some usage credits for the Maps Platform, but charges begin once those limits are exceeded. While the API key is securely stored in your website’s backend, it may not be restricted to specific websites.
This means that unauthorized third parties could potentially discover and use your key, leading to excessive usage of the free credits — and ultimately to unexpected charges on your Google Cloud account. Google clearly states that you’re responsible for any charges incurred from unrestricted API keys, including usage by unauthorized parties. Continued exposure could even result in account suspension.
To prevent this, you need to restrict your Google Maps Platform API key so that it can only be used by your authorized website(s). This is a simple process you can complete in the Google Cloud Console.
Go to console.cloud.google.
Click the menu icon (☰) at the top-left corner and go to APIs & Services → Credentials.
On the Credentials page, locate the API key currently used on your website. If you received a direct email from Google, it might mention the specific key name.
Click the key name to open the Edit API key page.
Scroll down to Application restrictions, and select: HTTP referrers (websites)
Under Website restrictions, click Add an item and enter your site URLs using this format:
*.yourdomain.com/* (use this if you’re running websites on subdomains)
Make sure to include the asterisk (*) and both versions (with and without www) if needed.
Click Save at the bottom of the page. It may take a few minutes for the changes to take effect.
Once saved, your key should show all authorized domains listed with the restrictions properly applied.
After applying the restrictions, please visit your websites to confirm that the maps are still displaying and functioning properly (you can find the map at the bottom of the home page of every franchisee website). If something isn’t working, double-check the URLs you added for typos or missing entries.