Search code examples
androidgoogle-app-engineapi-keygoogle-cloud-endpoints-v2

What is the correct way to provide an API Key to a Google Cloud Endpoints 2 API for an app?

I have an API in Google Endpoints, and I've generated the API key needed by the Android App I'm working on to access the API. However I have no idea where to supply the API Key when using generated clients library. Every request made from the app returns a 403, Android app is forbidden. I've read also in SO that it should be given in the header, but the closest that the Google Endpoints API docs mentioned is that an API key should be part of the URL, which however doesn't seem to be case if the request is from an Android client.

When the API key is removed from the API, any query, even curl, is able to retrieve the expected result. Any documentation on how this should be done with code examples will also be very much appreciated.

Edit: I am also wondering if Google itself has placed restrictions on using the android debug.keystore's SHA-1 in Endpoints.

Ps: my earlier question regarding this was unfairly down voted and the only answer received was about country restrictions, which I am sure has nothing to do with this. So maybe this time I'll rephrase my question in another way.

Solution

  • I've managed to get at least one type of API key to work with a Google Cloud Endpoints API. Here's how:

    1) The 'usable' API key was generated by not having any restrictions to it (ie: not Android App, Web, etc). You can select restrictions for a key when creating it in the API credentials page.

    2) The 'usable' key was passed to the generated clients library through the service..setKey(...) method.

    This somewhat produced what I was going for; allowing calls to the API only by callers that can identify themselves. The reason why it works (complete assumptions and guess work from this point onward) is that the generated client library makes a HTTPS request to the API, and therefore, the authorization checks should then be done by the API (Endpoints framework) in the context of a HTTPS request, rather than in the context of an Android App.

    If this is true, than I am very much interested in finding out how does an Android App make a 'correct' call to an API with the generated client library.

    Update: Screenshot and code of current setup

    In Google Cloud Console -> API & Services -> Credentials enter image description here

    Usage of API Key in Java code:

    // Call to the generated client library for the API
DataCollection dataCollection =  service.getDataAPIMethod()
                .setX(...)
                .setY(...)
                .setZ(...)
                .setKey("***")
                .execute();