API keys with referer restrictions cannot be used

You’ve tried typing in addresses into your WordPress Store Locator Plus® map page but always get “location not found”. Being a tech savvy person you took a look at your browser developer console and notice an “API keys with referer restrictions cannot be used with this API.” in the JavaScript console.

Thankfully our MySLP users don’t have to deal with this sort of thing; but if you are using the self-managed WordPress plugins, read on.

Stop the Google API key madness with MySLP

MySLP drops the Google API key madness once-and-for-all. If you are tired of the API key game, it may be time to switch.

Advanced

$5/month

• 150 Locations
• 1,000 Map Views
• Extra map views billed at $5/1000 views
• Basic locator styling

Professional

$35/month

• 5,000 Locations
• 5,000 Map Views
• Extra map views billed at $5/1000 views
• Unlimited Categories
• GPS Location Sensor
• CSV import and export
• Full control over search form and results layout
• Map color scheme and element styling
• Feature locations
• Directory listings

Enterprise

$55/month

• 15,000 Locations
• 8,000 Map Views
• Extra map views billed at $5/1000 views
• Unlimited Categories
• GPS Location Sensor
• CSV import and export
• Full control over search form and results layout
• Map color scheme and element styling
• Feature locations
• Directory listings
• Scheduled CSV Imports
• Advanced Reporting
• Territories
• Cluster Map Markers

Selected Plan

Email

Password

First Name

Last Name

Sign Up

Fixing Referer Restrictions, The Hard Way

You’ve found the telltale sign that your restricted browser API key has been set in the Store Locator Plus geocoding key field. Coming soon with the WordPress Store Locator Plus 5.0.4 release is a new message that will show in your map results telling you what error codes Google is sending back.

There are a couple of correct ways to setup your Google API keys for Store Locator Plus

Method 1: Using A Single API Key

The first way to address API keys with referer restrictions is to use an API key with no restrictions. You can use a SINGLE API key from Google for both Geocoding and Maps. It cannot have ANY restrictions set. When doing this you put the key in the Browser Key field in Store Locator Plus — under Store Locator Plus | General Server.

Method 2: Using Restricted Keys

The first way to address API keys with referer restrictions is to create two API keys — one for browsing and one for geocoding. This is the preferred method for as your Google API keys are safe from people copying them from your site for their own use. Nobody wants to be footing the bill for someone else’s Google Maps.

If you use this method you need to setup TWO Google API keys. Name them “Browser Key” and “Geocoding Key”.

Browser Key

This should have a single restriction turned on — the referer restriction. The value of that restriction should contain your website URL. Using a wildcard like https://*.storelocatorplus.com/ is usually a good idea as many web servers allow the non-www (http://3.211.25.112/) and WWW address (http://3.211.25.112) to be used.

This key goes in the SLP setting for Google Browser Key.

Geocoding Key

This should have a single restriction turned on — the IP addresses restriction. The IP address is USUALLY the IP address associated with your web host. However there are some exceptions.

A “Simple” Web Host IP Address

You can use various tools to find your IP address of your site. Usually your host makes it obvious on their we interface. You can use nslookup tools for Linux or MacOS geeks. This will show you the PUBLIC IP address of your site.

You can use this is you are on a dedicated host and you know that your hosting company uses this for your inbound and outbound traffic. Simple.

If you are on a shared host this will usually work as well — but keep in mind that anyone else on your shared host probably has the same IP address and COULD use your Geocoding API key if they find it. However, since your API key can only be seen if someone logs into your admin panel since our SLP 5 release, that is not a concern. This is the primary reason why all Geocoding requests in SLP 5 now route through your WordPress install with a REST API — it keeps your Geocoding key PRIVATE.

A Proxy Service

If you are using a proxy service to speed up and secure your site — Sucuri is a popular one, then you must use your NATIVE host IP address NOT the proxy address. The Geocoding request are coming directly from your server to the Google server and typically will NOT route through a proxy service like Sucuri.

Proxy services and their IP address are typically only “in play” when a request originates from the outside world TO your website — someone surfing your site for example. The proxy IP address normally is not used when your server — the WordPress app asking Google for a latitude/longitude for SLP for example.

Accelerated Service IP Address

High end hosting company may have a THIRD IP address that is in use. This can be used when a larger hosting company has a plan in place for faster network connections with Google. In this case there may be a hidden third IP address that is used whenever the hosting company sees a request coming from inside their network (your hosted website) to Google. In these rare cases you’ll need to ask your hosting company if they use a special IP address to communicate from your site to Google — this is the IP address you’ll add to your IP restrictions.

Not sure which IP is used?

Try turning off all restrictions to your Geocoder key. Geocode a location via a map lookup or adding a location on the back end. Then ask Google to look at your API key account and tell you the IP address that the request came from. If they cannot help try asking your hosting company.

SLP 5.0.4 Showing IP address

If you are using SLP 5.0.4 or higher the new messages that are returned will show the IP address from your server that was used to query Google.