Google API keys are used to authenticate applications that consume Google Cloud APIs. They are especially useful for accessing public data anonymously (like Google Maps), and are used to associate API requests with your project for quota and billing.
API keys are not strictly secret as they are often embedded into client side code or mobile applications that consume Google Cloud APIs. Still, they should be secured and should never be treated as public information.
An unrestricted Google API key being disclosed in a public source code would be used by malicious actors to consume Google APIs on the behalf of your application. This will have a financial impact as your organisation will be billed for the data consumed by the malicious actor. If your account has enabled quota to cap the API consumption of your application, this quota can be exceeded, leaving your application unable to request the Google APIs it requires to function properly.
Only administrators should have access to the Google API keys used by your application.
As a consequence, Google API keys should not be stored along with the application code as they could be disclosed to a large audience or could be made public.
Google API keys should be stored outside of the code in a file that is never committed to your application code repository.
If possible, a better alternative is to use your cloud provider’s service for managing secrets. On Google Cloud this service is called Secret Manager.
When credentials are disclosed in the application code, consider them as compromised and revoke them immediately.
In addition to secure storage, it’s important to apply restrictions to API keys in order to mitigate the impacts when they are discovered by malicious actors.