Google API Keys

Discover exposed Google API keys in client-side code, GitHub repos, and public datasets.

8 Categories30+ CommandsCopy Ready

Phase 1

Introduction

1What are Google API Keys?

Google API Keys = credentials for Maps, Analytics, YouTube, etc.

2Common Google API key format

Format: AIzaSyDaGivXXXXXXXXXXXXXXX (39 chars)

3Where are API keys exposed?

Found in: Client-side JS, GitHub, browser cache, public datasets

Phase 2

Finding API Keys in JavaScript

1#1 Google dork for API keys on target domain

intext:"AIzaSy" site:target.com

2#2 Search in JavaScript files specifically

intext:"AIzaSy" "target.com" filetype:js

3#3 Extract API keys from downloaded JS files

cat alljs.txt | grep -oE "AIzaSy[a-zA-Z0-9_-]{35}" | sort -u

Phase 3

GitHub Dorks for API Keys

1#1 Search GitHub repos for API keys

org:target "AIzaSy"

2#2 Search for common variable names

org:target "google_api_key" OR "googleapikey" OR "google_api"

Phase 4

Recon Tools for API Key Discovery

1#1 Profanalyzer - tool for analyzing JS files

https://github.com/streaak/profanalyzer

2#2 GSIL2 - Google Services Identifier Library

https://github.com/ice3man/GSIL2

3#3 Crawl and collect all JS file URLs

katana -u https://target.com/ -d 3 -jc | grep '\.js$' | tee alljs.txt

Phase 5

Testing Discovered API Keys

1#1 Test Google Maps API key (Geocoding)

curl "https://maps.googleapis.com/maps/api/geocode/json?address=1600+Amphitheatre+Parkway&key=AIzaSyYOURKEY"

2#2 Test YouTube Data API key

curl "https://www.googleapis.com/youtube/v3/videos?part=snippet&id=dQw4w9WgXcQ&key=AIzaSyYOURKEY"

Phase 6

Common Google API Endpoints

1Google Maps - Geocoding, Places, Directions, etc.

https://maps.googleapis.com/maps/api/ (Maps API)

2YouTube - Videos, playlists, comments

https://www.googleapis.com/youtube/v3/ (YouTube Data API)

3Google Analytics - User activity data

https://analyticsdata.googleapis.com/v1beta/ (Analytics Data API)

Phase 7

Nuclei Scanning for API Keys

1#1 Scan target with Nuclei Google API template

nuclei -u https://target.com -t google-api-keys -o nuclei-results.txt

2#2 Scan list of JS files for exposed keys

cat js-files.txt | nuclei -t google-api-keys -o api-keys-results.txt

3#3 Nuclei template for Google API detection (reference)

https://github.com/coffinxp/nuclei-templates/blob/main/google-api-keys.yaml

Phase 8

Exploitation Examples

1Impact: Consume victim's API quota

Free quota usage = Make unlimited API calls

2Impact: Access private data via API

Data access = Read sensitive info if permissions allow

3Impact: Abuse services for malicious purposes

Service abuse = Spam, fake listings, data pollution

Phase 9

Mitigation & Prevention

1Use server-side proxies for API calls

#1: Never embed API keys in client-side code

2Store keys in .env files (not committed to Git)

#2: Use environment variables for API keys

3Set HTTP referrer restrictions per key

#3: Restrict API key domains in Google Cloud Console

4Periodically regenerate and revoke old keys

#4: Rotate API keys regularly

5Set up alerts for unusual activity

#5: Monitor API usage in Google Cloud Console

Tools

Tools & Resources

Profanalyzer

Tool for analyzing JS files and finding API keys

GSIL2 - Google Services Identifier

Library for identifying Google services in code

Nuclei Google API Keys Template

Ready-to-use Nuclei template for detection

Google Cloud API Keys Docs

Official documentation on API key security