Skip to content

Syslifters/gmapi-audit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
src/gmaps_key_audit
src/gmaps_key_audit
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

gmapi-audit

A user-friendly CLI that checks whether a Google Maps Platform API key is valid and which APIs it can access.

It supports testing HTTP referrer / Origin restricted keys by letting you supply the headers that a browser would send.

Install (recommended: venv)

cd gmapi-audit
python3 -m venv .venv
. .venv/bin/activate
pip install -U pip
pip install -e .

Usage

gmapi-audit run --api-key "YOUR_KEY"

# Test a browser-restricted key
gmapi-audit run --api-key "YOUR_KEY" --referer "https://example.com/" --origin "https://example.com"

# Only run a subset
gmapi-audit run --api-key "YOUR_KEY" --only places,routes

Output

For each probe, the tool prints:

  • Status: PASS/FAIL (colorized)
  • PoC: a clickable URL when possible, otherwise a ready-to-run curl that includes headers
  • Why: a best-effort explanation (invalid key vs API disabled vs billing vs restriction mismatch, etc.)

Notes

  • IP restricted keys cannot be tested from an arbitrary machine (the source IP cannot be spoofed). The tool will explain this case.

  • “Modern” vs “Legacy” depends on the API:

    • Places: modern Places API v1 (places.googleapis.com)
    • Routes & Route Matrix: modern Routes API v2 (routes.googleapis.com)
    • Static map rendering can be done with the modern Map Tiles API (2D Tiles) (tile.googleapis.com) but it is not a 1:1 “static image URL” API. See Roadmap tiles and Session tokens.
    • Street View Static has a modern tiles-based alternative: Street View Tiles.
    • Geocoding also has a newer REST surface at geocode.googleapis.com (v4beta). See GeocodeAddress.
    • Some products still only have the legacy maps.googleapis.com/maps/api/... endpoints.

  • Gemini / Generative Language API: Some AIza... keys used for Maps/Firebase can also access Gemini endpoints if the API is enabled in the same Google Cloud project. This tool includes a probe for that behavior, as described in Truffle Security’s writeup.

  • Pricing table intent: The pricing table is meant to illustrate potential cost impact if a key is leaked. Some probes (notably Places) intentionally request a richer field set to reflect potentially costly SKUs. Always verify against the official pricing list.

About

Audit a Google Maps Platform API key against modern + legacy endpoints.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages