How to protect your map key

If you publish a map, you are also exposing your API key. There are several ways to protect your key and prevent misuse, and we describe them in detail on this page.

Initially, your MapTiler account only contains the default key, which is special and can't be protected. To apply any of the described protection methods, you need to create a new key.

Allow map usage only on listed websites

If you have your map published only on certain websites, you can list them in the Allowed HTTP origins field. For example, mydomain.com will ensure, that only requests coming from mydomain.com will be processed. Use *.mydomain.com to allow requests from subdomains.

Put each rule on a separate line. Make sure your applications send the Origin (or Referer) header, otherwise the requests will be treated as “unknown” and will be rejected if any origin is specified here.

You can use ? placeholder to explicitly allow unknown origins (requests with Origin header coming from a domain that is not in this list will still be rejected).

Allow map usage only in listed software

For other usages where the map is not used on a specific URL, like mobile apps or desktop GIS software, you can whitelist only software with a specific user agent to be able to use your map.

In theAllowed user-agent header field, fill in a (case-sensitive) substring of your software’s user-agent. The saved substring will be compared with the User-Agent HTTP header of each request and if it will be found there, the request will proceed, otherwise, it will be denied. 

Only a substring is being compared with the User-Agent HTTP header. If you save a "coolest-mobile-map-app" there, it will work fine with "coolest-mobile-map-app-0.5", "coolest-mobile-map-app-1.1" etc. But it will also work with "my-friends-coolest-mobile-map-app".

What’s next

To create an API key with the described restrictions, go to your MapTiler account, page API keys and click New key.

On this page

    Was this helpful?