How to protect your API key

If you publish a map, you are also exposing your API key. There are several ways to protect your key and prevent misuse, and we describe them in detail on this page.

Initially, your MapTiler account only contains the default key, which is special and can't be protected. To apply any of the described protection methods, you need to create a new key.

Allow map usage only on listed websites

If the map is only published on certain websites, list these websites in the Allowed HTTP origins field. For example, enter mydomain.com to ensure that only requests coming from mydomain.com get processed. To allow requests from subdomains, use *.mydomain.com. Put each rule on a separate line.

Make sure your applications send the Origin (or Referer) header, otherwise the requests will be treated as “unknown” and will be rejected if any origin is specified here. You can use the ? placeholder to explicitly allow unknown origins. Requests with the Origin header coming from a domain that is not on this list will still be rejected.

Allow map usage only in listed software

For other usage where the map is not used on a specific URL, like in mobile apps or desktop GIS software, you can whitelist software with a specific user-agent. Only this software will be then able to use the map.

In the Allowed user-agent header field, fill in a substring of your software’s user-agent. Note the field is case-sensitive. The saved substring gets compared with the User-Agent HTTP header of each request, and if there is a match, the request is processed. Otherwise, it is denied. 

Only a substring is compared with the User-Agent HTTP header. So for example "coolest-mobile-map-app" will work with user-agent headers such as "coolest-mobile-map-app-0.5", "coolest-mobile-map-app-1.1", etc. but it will also work with "my-friend's-coolest-mobile-map-app". Make sure the substring is unique.

What’s next

To create an API key with the described restrictions, go to your MapTiler account, page API keys and click New key.