I have a requirement to call the Google Maps Streetview Static API from the browser clientside, in response to a user click.
Am I right in saying that trying to digitally sign these calls on demand is pointless, as I would need to expose my secret clientside? I don’t have the option of signing serverside. (I’m just hosting a HTML with JS on github.io.)
That said, I have only a fixed number of possible parameters to the Streetview API – say ten possible different lat/long calls. I could manually sign each of these and include the signature for each, but an abuser could still script repeated clicks on those, so there wouldn’t be much point to a signature then.
Basically it seems to me that there’s no way to protect my quotas from abuse?
Definitely, you shouldn’t create a digital signature on client side, because you will expose your secret key.
On the other hand you should apply HTTP referrer restriction on your API key. Please note that Street View Static API has two levels of protection: first one is an API key protected by HTTP referrer and second one is a digital signature.
Have a look at this FAQ article:
If your usage of Street View Static API is not very high, probably you will be OK just with protected API key. When you use requests with protected API key and without digital signature your daily quota is limited to 25 000 requests. The digital signature (that must be calculated server side) allows overcame the daily limit of 25 000 requests. So, if you need more than 25 000 daily requests you should implement server side digital signature.
I hope my explanation solves your doubt.