Fix guide · medium · google_api_key

Google API key (AIza) in client code

Why it matters

Google API keys are often *meant* to be public (Maps, YouTube embed). The risk depends on key restrictions. Without HTTP referrer or API restrictions, the key can be used by anyone for any enabled API — driving up your bill.

How to fix it

1. Check the key's restrictions in Google Cloud Console → APIs & Services → Credentials.
2. Add HTTP referrer restrictions scoped to your domain.
3. Restrict to specific APIs the key is supposed to use.
4. Set a quota cap so abuse can't bankrupt you.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.