Use Google Maps restricted API key on server side ASP.NET Core

Question

I have an application in production that uses lots of Google Maps services and therefore I've created a restricted API key with HTTP referrers restriction. The restricted key works fine sending requests from client (loading maps, etc.), but I have trouble using it server side as I send some of the requests from ASP.NET Core controllers. Before I send the request I set the Referer header, but still the request gets denied:

var request = new HttpRequestMessage(HttpMethod.Get, url);
request.Headers.Referrer = new Uri(_configuration.GetValue<string>("Google:RequestReferrer")); //referrer string is set in the appsettings.json file
var client = _httpClientFactory.CreateClient();
var response = await client.SendAsync(request);

Is it possible to use the same restricted key on client side and server side by somehow setting the correct request headers or should I create a new API key restricted with IP for the server side usage.

Thank you.

Answer 1

No. If you're going to make 2 different types of requests (client side and server side) you should have a separate API key restricted with HTTP referrers for the client side, and an API key restricted with IP addresses for the server side.

You may also visit the API key Best Practices here for more details.