How to protect your map key
If you publish a map, you are also exposing your map key. MapTiler offers several methods to give you control over the key to avoid misuse. Your key setting can be found on this page. Simply go to MapTiler Cloud → Account→API keys→Edit.
Allow map usage only on listed websites
If you have your map published only on certain websites, you can list them in the Allowed HTTP origins field. For example, mydomain.com
will ensure, that only requests coming from mydomain.com
will be processed. Use *.mydomain.com
to allow requests from subdomains.
Put each rule on a separate line. Make sure your applications send the Origin
(or Referer
) header, otherwise the requests will be treated as “unknown” and will be rejected if any origin is specified here.
You can use ?
placeholder to explicitly allow unknown origins (requests with Origin
header coming from a domain that is not in this list will still be rejected).
Allow map usage only by listed software
For other usages where the map is not used on a specific URL, like mobile apps or desktop GIS software, you can whitelist only software with a specific user agent to be able to use your map.
In theAllowed user-agent header field, fill in a (case-sensitive) substring of your software’s user-agent. The saved substring will be compared with the User-Agent
HTTP header of each request and if it will be found there, the request will proceed, otherwise, it will be denied.
Related guides
- Automatically created API key
- Check if MapLibre GL JS is supported
- Coordinates API
- Dataset upload - formats and limits
- Difference between 256x256, 512x512, and HiDPI/Retina rasterized tiles
- Exported Tiles Multiplier
- Generalization in maps
- How are the tile requests cached in web browser?
- How MapTiler map tiles are Generated and Delivered
- How to add Geocoding control to Maplibre GL JS map