Google Credentials API Key / OAUTH Client ID Limit - google-api

I know there a project limit per Google account but can someone tell me (or point me to the documentation) if there a API Key / OAUTH Client ID limit per project or Google account?

I am not aware of any limit as to the number of clients or api keys a single project can create. You should be aware that if they are all under the same project they are going to be part of the same quota so running multiple applications under the same project is probably not a good idea.

Related

How to block Google Firestore access from the Google Firestore api

I am working with Google Firestore in native mode and CRUD'ing data within it using the "cloud.google.com/go/firestore" api in Go. Access to the data is wide open as long as you know the project id and using the Firestore API on a server. I don't want to try the rules until I figure out how to secure the data from server attacks that. Again, all the API requires is the project id to access the data so I need to lock that down firstly before I move any further. Rules are only for mobile/web clients from what I read and Server side clients completely bypass the rules. Please help. I do not want to use the Firebase API because attackers can still use the Firestore api to access the data.
It's unclear from the limited information in your question but, your Firestore database is not open to anyone with the Project ID.
The service is only accessible to any thing (human|machine) that has valid credentials. Either humans with e.g. Gmail accounts or Service Account key holders.
In either case, only identities that you've explicitly added to the project will be able to access its resources and then only those with the appropriate IAM roles|permissions.
Google provides an elegant facility called Application Default Credentials (ADCs) that simplifies authenticating clients.
I suspect that your code is using ADCs to authenticate you to the project|service.
Access to the data is wide open as long as you know the project id and using the Firestore API on a server.
If that is a concern, consider disallowing all access in the Firebase security rules for your Firestore database.
Also have a look at my answer here to understand why sharing your project ID is not a security concern, and in fact is necessary if you want to allow direct access from client-side devices: Is it safe to expose Firebase apiKey to the public?. If you don't want to allow direct client-side access, closing down the security rules (as they are by default, unless you choose test mode when creating the database) is the way to go.

Are Google Maps API limits applied to key or to cloud project?

Google Maps API (Directions API) has limit of 50 queries per second (QPS): https://developers.google.com/maps/faq#usage_apis
However, I need more than just 50 as my web app serves lots of users and 50 QPS is totally not enough, I get failure responses from Google Directions API all the times.
I can create multiple keys to use but the matter is the limit of 50 QPS applies to a single key or applies to the whole Google Cloud project? It doesn't specify in the link above.
If it applies to the whole project, there's no point to create multiple keys. Any one ever tried to identify this out?
Quotas are scoped to Projects; multiple API Keys in a project do not impact the project's quotas.
API Keys are often (not always) a way to provide otherwise unauthenticated users with a form of bearer token to access a Google API|service and APIs and services are always associated with a project.
If you lose (control of) an API Key, anyone using it (until it is deleted) is able to use the Key to access its project's resources.
For this reason, you may wish to use different API Keys for different subsets of your user base.
And|Or you may wish to employ a system in which you "rotate" API Keys (create new and eventually replace existing) to effectively require your users to reconfirm their use of your app.

Can Google Calendar API be used to create scalable scheduling service?

I need to create a scheduler for my own SaaS, and I'm trying to understand whether Google Calendar API is a fit for that. Basically I could have hundreds of thousands of calendars. Each calendar may be a user of my service, but not a Google user. It seems that perhaps I could use resource calendars under my Google Cloud service account. My biggest concern is whether my usage will fall within the Calendar API's service quotas, either automatically or by requesting a quota increase?
Yes service accounts will fall within quota usage limits. There is also a limit about creating more then 25 calendars in a day causing the user to end up in read mode for the rest of the day.
pricing
Google Calendar API Usage Limits
The Google Calendar API has a courtesy limit of 1,000,000 queries per day.
To view or change usage limits for your project, or to request an increase to your quota, do the following:
If you don't already have a billing account for your project, then create one.
Visit the Enabled APIs page of the API library in the API Console, and select an API from the list.
To view and change quota-related settings, select Quotas. To view usage statistics, select Usage.
On the one hand, you could work around the quota issues by sharding your users across multiple Service Accounts. You would probably also want to shard them across multiple App IDs.
On the other hand, don't do it. In my experience, using Google APIs outside their intended use case doesn't end well.

How to skip verification process for Google API Projects that works only in the sandbox mode?

Google started the OAuth developer verification process a few months back which forces the developers having OAuth applications to apply for verifications if they don't want their users to see a warning screen and to have an unlimited number of users using the OAuth flow.
I'm facing a problem due to this verification process when I have to use the projects in a local environment. There is no way I can verify the apps for local environments since the policies and T&Cs cannot be hosted.
Q1. Is there any way to skip the verification process and sandbox the OAuth application?
Q2. What is the exact limit for the accounts? (Since I use 5-10 Gmail accounts, but do multiple signups per day from those accounts and I still hit the limit quite often)
Q1. Is there any way to skip the verification process and sandbox the OAuth application?
If you check the side of the consent screen it answers some of your questions.
you can learn more here
Q2. What is the exact limit for the accounts? (Since I use 5-10 Gmail accounts, but do multiple signups per day from those accounts and I still hit the limit quite often)
If you add these accounts as users on the project in the developer console they should be able to use it while you are testing.

Need a way to create multiple (say 250 for each) google and outlook test account for load testing oauth related apies. (Example: gmail api)

Scenario:
My application requires oauth google api communication.
My current requirement is need to load test the api communication and limitations. and solution for limitations.
Expected solution:
Need simple way to create 250 gmail accounts.
Account should be independent from each other.
Should require minimum individual phone numbers.
Additional req but not mandatory
Accounts should be reusable
Thanks

Resources