Generating an API Key
You can create as many API keys as you need directly from your Google dashboard. Each key is shown only once at creation, so make sure to copy and store it securely before closing the dialog.Open API Key Settings
Log in to your Google dashboard and navigate to Settings in the main sidebar, then select API Keys from the settings menu.
Create a New Key
Click New API Key in the top-right corner of the API Keys page to open the key creation dialog.
Name Your Key
Enter a descriptive name for the key — for example,
Production Backend or Data Sync Integration. A clear name makes it easy to identify and revoke specific keys later.Select Scopes
Choose the permission scopes this key should have. Apply the principle of least privilege: only grant the scopes your integration actually needs. See the API Key Scopes section below for the full list.
Passing Your API Key
Include your API key on every request using theAuthorization header with the Bearer scheme. The example below shows a basic authenticated request to the Users endpoint:
YOUR_API_KEY with the key value you copied during generation. Requests made without this header, or with an invalid key, will receive a 401 Unauthorized response.
API Key Scopes
Scopes define what an API key is permitted to do. When creating a key, select only the scopes required for your use case. You can update scopes on existing keys from the Settings > API Keys page at any time.| Scope | Access Level |
|---|---|
read:all | Read all resources |
write:all | Create and modify all resources |
admin | Full access including settings |
read:data | Read data records only |
write:data | Create and modify data records |
read:users | Read user info only |
admin scope have unrestricted access to your entire Google workspace, including sensitive settings. Reserve this scope for trusted, internal automation only.
Authentication Errors
If your API key is missing, expired, or lacks the required scope for an endpoint, the API will return one of the following error responses: 401 Unauthorized — The API key is invalid, malformed, or not included in the request. 403 Forbidden — The API key is valid but does not have the scope required to access the requested resource. Both error types return the same JSON envelope structure:code field (UNAUTHORIZED vs FORBIDDEN) to distinguish between the two cases in your error-handling logic. For 403 errors, check that the key you are using has the correct scope for the endpoint you are calling.
Security Recommendations
Keep your API keys secure by following these practices:- Store keys in environment variables (e.g.,
GOOGLE_API_KEY) and inject them at runtime. - Use a secrets manager such as AWS Secrets Manager, HashiCorp Vault, or 1Password for production workloads.
- Rotate keys periodically and immediately upon any suspected exposure.
- Revoke unused keys from Settings > API Keys to reduce your attack surface.