I have an application that currently uses google maps and address search. I am about to switch to a higher tier of usage, but wanted to know what safeguards (if any) are in place to prevent a mischievous party from flooding the API call with my API key, therefore running up my usage numbers (even though it is not legitimate).
I know that google has some control in place where the user has to answer a captcha if google detects too much traffic coming from a certain IP address. In this case, would this help prevent the issue? If so, what is the rate at which someone could still hammer google with my API key?
You can set rate limits (per user) in the API console, for each API.
Related
Quick question, just to clarify the wording and meaning (because it's changed a couple of times for Map loading...)
There are the two following statements in the Places API FAQs:
The Google Places API has the following query limits:
Users with an API key are allowed 1 000 requests per 24 hour period.
Users who have verified their identity through the APIs console are
allowed 100 000 requests per 24 hour period. A credit card is required
for verification, by enabling billing in the console. We ask for your
credit card purely to validate your identity. Your card will not be
charged for use of the Places API. While the lower limit is sufficient
for development and testing, we recommend enabling the higher limit
before launching your application. It is possible to request an
additional quota. If granted, the additional quota is free of charge.
If, at some stage in the future, an option becomes available to pay
for an additional quota, that quota will be over and above the
existing free quota, and you will need to sign up for it explicitly.
Note that some services may have a multiplier:
The Text Search service is subject to a 10-times multiplier. That is,
each Text Search request that you make will count as 10 requests
against your quota. The Radar Search Service is subject to a 5-times
multiplier. That is, each Radar Search request that you make will
count as 5 requests against your quota. If you've purchased the Google
Places API as part of your Maps API for Business contract, the
multiplier may be different. Please refer to the Google Maps API for
Business documentation for details.
This implies that use of the Google Places API is restricted to 100,000 queries per day, or 10,000 if you're doing a Text Search.
However, on the Uplift page, it says the following:
If you are developing a web based application that only needs to
search for places, and is not submitting new places or Place Bumps,
you should use the Places library of the Maps API rather than using
the Places API web service. The Places library assigns a quota to each
end user rather than to each key. This means that your available quota
increases with your user base rather than being capped at a fixed
amount.
I am using the Places API in the following way:
https://maps.googleapis.com/maps/api/js?key=XXX&libraries=places
...
service = new google.maps.places.PlacesService(map);
service.textSearch(request, callback);
And also for some details searching and photo searching.
Therefore my question is; Given my usage of the Places API, am I subject to the 100,000 queries limit on my app, or am I essentially uncapped at an app level, as my quota is per end-user? (i.e. per unique IP? if I had 10,000 users I have an effective quota for my entire user base of 100,000*10,000?)
EDIT:
For clarity: if I throw my API key into https://maps.googleapis.com/maps/api/place/nearbysearch/json?location=-33.8670522,151.1957362&radius=500&types=food&name=harbour&sensor=false&key=XXXX, it will increment my Places quota count on the Google API console, however if I run queries through my JS app, I see no quota use change. I want to make sure that i'm not suddenly going to be hit with a massive quota result.
Use of the JavaScript API services, like those provided by the Places library, have quota assigned to each end-user. It's a very similar setup as objects like the google.maps.Geocoder, which has been discussed in a bit more detail in this Geocoding Strategies article.
You may apply for an uplift to the quota so that the restriction is taken away and you have unlimited access:
https://docs.google.com/forms/d/18pkOdu0uofeI8tbQoReDVfkbOIAscLvjiKc9ZP06hEM/viewform
This form is applicable to Android, IOS and Web.
UPDATE: In an effort to give a more clear question. How do I use the Google Console API key with the Google Maps Geocoding Web Service API? At the moment the request comes back as denied, when I specify the key but even though it failed it is logged in the Google Console API site's reports section.
Original Question
I have an existing app that has been modified to start geocoding address at the time they are entered (for use within the app on a Google Map). The volume expected for this is expcted to be within the free offering's limites and does not require a key at this time. However now I have to geocode all of the existing addresses. I have a small windows app (C#) that will loop through them one at a time, request they be geocoded (via https://maps.googleapis.com/maps/api/geocode/json) and store the results in the database. However I keep running into the query limit. To help alleviate this I've setup an account on Google API Console (https://code.google.com/apis/console/) so that I get go over the limit and just be billed for the overages.
The problem is in order to do utilize this billing alternative I have to provide a Console API Key to the request, but every time I do so I get a response back with a status of REQUEST_DENIED.
My URL looks like this
https://maps.googleapis.com/maps/api/geocode/json?address=1600+Amphitheatre+Parkway,+Mountain+View,+CA+94043&sensor=false&key=123abc
If I take off the key it works fine, but with it on it fails. Now, I have seen other questions similar to this when looking around but can find no answer to the issue.
I've tried various alternate domains including maps.google.com, maps.googleapis.com and maps-api-ssl.google.com all seem to have the same problem from what I can tell.
Here's what I've been able to find out so far:
The service is listed in the Google Console API's site as Google Maps API v3, (there is a separate entry for v2) so I don't think it's a problem with keys no longer being mandatory in v3.
I know the requests are getting through and being correctly logged against this API key because with each failed attempt the request count goes up by one on the Reports tab of the Google APIs Console.
*I know it's not a problem with it not being accessed via a web page because the Console API explicitly lets you generates keys intended for Server/Service use and you can restrict access to them via IP address, not URL Referrer.
*I've also verified the parameter syntax as it's outlined on this page, as are other usage
*These seem to be generic to the Console API system but there is no mention of exceptions to these practices when used for the Google Maps API.
I even tried to contact Google but apparently they don't offer support over the phone (I was hoping to be done with this today but that's not looking likely).
It seems the key is not necessary anymore, since it doesn't increase your limit of free geocodings.
It was a legacy of v2, but geocoding API v2 was fully deprecated last March, 8.
If you need to use more than the free limit, I think you must adquire the Enterprise license.
Regards,
Eduardo.
I ran into this same issue and solved it by enabling the Geocoding API on the Google apis dashboard. Even though I'm using the Google Maps JavaScript API v3, it still required me to enable the Geocoding API as well. Make sure you understand the google's quota limits and billing system before enabling any API access. Hope this helps!
Late to this answer, but just in case anyone else has issue. Billing needs to be setup first and like Dylan said you also have to enable Geocoding API(this got me). At least I did for my locations app that shows multiple store location addresses.
I saw that one has not to obtain a Google Maps API key if you want to use their maps api in general, only if you want to use their web services and statistics etc.
Now I have two questions regarding this:
If I have a public website which uses the Google Maps API to display a map with default options. How does Google count the API calls if I don't use an API key? (Maybe with the help of the domain which requests the map?)
If they do so and my site exceeds the 25k calls/day, is there a possiblity that my users can login with their Google account on my site and some backend logic will get them an API key from Google that I store e.g. in a database. So I could use the API keys of my users to bypass the API usage limits only for my site.
Assuming you are using the Javascript API v3:
This SO question partially answers your queries.
Have a look at the usage limits, it looks like that you cannot use more than one API key:
Can I use more than one API key to increase my available usage over
the documented limits?
Google reserves the right to withhold access to the Maps API from any site that attempts to use more than the permitted number of map
loads of the Maps API without permission, and fails to respond when
contacted by Google.
Though this may be debatable, to me it seems a bad idea using your user's API key. For sure you need to ask the permission, then you have to monitor their quotas and so on, a minefield...
TL;DR if you exceed constantly the daily quota you should purchase a larger quota.
I'm using Google Maps web services to perform server-side (reverse) geocoding.
I've got a browser-side and server-side Google API key from the Google APIs Console, which permits the Google Maps JS API to use higher request quotas, and enables pay-per-use for overages (successfully tested in-browser via JS). But the server-side key doesn't seem to work on web services requests.
For example, this URL works fine:
http://maps.googleapis.com/maps/api/geocode/json?sensor=true&latlng=43.477329,-80.548601
But if you add a "key=..." parameter, as in the other APIs, I get a REQUEST_DENIED status.
Am I doing something wrong, or is this just not supported on the web services APIs (yet)? Will it be supported in the future?
See also
request_denied when i include key=my_api_key
Nope, you're not doing anything wrong.
Unfortunately, enforcing tight limits on the Google Geocoding API, also called "Server-Side Geocoding", is Google's design. If your app needs more than 2,500 Server-Side Geocodes per day, then you'll need to upgrade to their Google Maps API for Business product.
Hold on, it gets worse.
If your app's server IP address is shared with other apps, that 2,500 request daily limit applies to ALL of them. This includes apps that share the same server IP address as you, but don't belong to you! This can be a common situation with any PaaS, like Google App Engine or Heroku. So, even if your app works flawlessly today, there is no guarantee that it's still going to work tomorrow.
In the article, "Geocoding Strategies", Google indicates the solution is to "almost always" use "Client-Side Geocoding" via the Geocoding Service, part of the Google Maps JavaScript API V3. The primary reason is that limits are enforced per user, per session. Requests like this shouldn't run up against quota limits unless you're executing geocode batches on the client (not a typical use case).
One golden nugget from the "Geocoding Strategies" article: Design a page that takes user input, calls the client-side Geocode service method, then passes that information to your server app where it can be processed, and hopefully cached. This is FAR from ideal, but if upgrading to Google Maps API for Business isn't an option, it might be the only way to go.
Good luck!
According to this post, your API key should work as one of the three option for requests over 25,000 loads per day.
https://developers.google.com/maps/faq#usagelimits
The following are the usage limits as specified by Google on their Developer Guide pages:
Google Maps JavaScript API v3 => For-profit web sites are permitted to generate up to 25,000 map loads per day
Google Geocoding API => subject to a query limit of 2,500 geolocation requests per day
Google Maps API for Business => may perform up to 100,000 requests per day
Am trying to evaluate using any one of the above for use with Visualforce on Salesforce.com (SFDC) platform [*]
I understand for a public website the requests are per IP. Now for SFDC, there could be many different Organizations on a particular server (say, NA1). So, two different companies using SFDC and Google Maps API could have an URL at https://na1.salesforce.com/something_here and their requests should be counted separately.
Will it be so? What will happen in case of each API?
[*]SFDC is a SaaS cloud for the purpose of our discussion. All users login through the same page but they could be logged into different "orgs"/"organizations" but their URLs might look similar
It's important to differentiate between the server-side and client-side limits here. The server-side geocoding api would have have the 2500 limit enforced across the shared Salesforce instance based on how many machines the requests come from (I assume NA1 isn't 1 huge server). Multiple organization using the free geocoding API would all share the same server-side geocoding limit. I've actually run into the same limits using Google's own App Engine platform, where a bunch of applications share the same outbound IP address.
For any sort of guaranteed performance you'll need to send the queries from your own server or go the Maps for Business route which lets you authenticate your queries to get those higher limits.
Client-side geocoding via the JavaScript API doesn't have these server-limits, so if users do any sort of action to trigger a geocode or two using the JS API is the best route.
You can already create your own "bucket" to track your 25K map loads per day by signing up for an API Key.
This question on SO addresses the geocoding API specifically being run from a visualforce page directly, Salesforce: Google maps query status 620 G_GEO_TOO_MANY_QUERIES and it does seem to mean that without a key the limits are shared. I would suspect that unless you plan on giving the app away that you are working on, you will pretty much be forced to pick up an upgraded API key. One thing you may want to look at to work around this is hosting the maps portion in another location, and iframing it into Salesforce.