To use a Google service you can use OAuth authentication, or, if you don't need to log the user in, you can use a public api key, defining authorized domain as origin of the request. Now, I'm writing my own API using google endpoints and I will allow users to use my APIs with a public api key, and not using OAuth, there are any built-in method to do so in GAE, or I have to write my own code to verify the api key and the origin of the request to my APIs?
If you are using a client key you can limit those who can access your API by defining a list of referrers in the google console, if you are using the server API key you can limit it by defining a list of IP's which I believe can't be done with GAE since we don't no the server IP which can be changed any time.
If you don't use authentication, you don't need to provide api key I guess.
I have the same problem.
I found a solution, i'm not sure is really secure. Here is the solution :
I have somthing working with :
- an OAuth crédentials create on API console
- My cilent ID (given when you create your credentials) in only in my server side code.
- An end point constructed with this client ID.
- I didn't check the button that 'active oauth authentification' on my app engine application.
Result :
- Evry user can send data without any identification.
- Evrybody can call evry methodo of the webservice by calling gapi.client.xxxx.list in the browser console --> so i remove forbidden method from the API End point.
I've worked out how to do this for the current GCP console. Google's documentation seems to be lacking the important step of enabling access to your own API in the project it is in.
This is what Google's docs say:
Create one API key for all callers
When you don't need to distinguish between callers of your API, and you don't need to add API restrictions, but you still want to require an API key (to prevent anonymous access, for example), you can create one API key for all callers to use.
To create one API key for all callers:
In either the project that your API is configured in, or a project that your API is enabled in, create an API key for all caller.
Give the same API key to every caller.
The missing step 0 is to enable the private API in your project. The steps for which are:
- In the GCP Console, go to APIs & services for your project.
- On the Library page, click Private APIs.
- Click the API you want to enable.
- In the page that displays information about the API, click Enable.
Then step 1.5 is to restrict the API key to only access your private API. Now that you have enabled this API you'll see it as one of the options for API restriction on the key edit page.
来源:https://stackoverflow.com/questions/23337938/google-endpoints-and-public-api-key