My question is about how to properly set the package name and SHA-1 certificate fingerprint in the Google Developers Console in order to restrict usage of my Android API key to my app.
When I don't have anything set in the "Restrict usage to your Android apps" section, my requests to the Google Translate API work properly. The API responds normally with status code 200 and my expected result.
But when I specify a package name and SHA-1 certificate fingerprint for my app using the Developers Console, I consistently get 403 Forbidden responses like the following:
HTTP/1.1 403 Forbidden
Content-Type: application/json; charset=UTF-8
Date: Sun, 29 Nov 2015 21:01:39 GMT
Expires: Sun, 29 Nov 2015 21:01:39 GMT
Cache-Control: private, max-age=0
X-XSS-Protection: 1; mode=block
Alt-Svc: quic=":443"; ma=604800; v="30,29,28,27,26,25"
"message": "There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed.",
"message": "There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed."
GET https://www.googleapis.com/language/translate/v2?key=XXXXXXXXXXXXXXXXXXXXXXXX-XXXXXXXXXXXXXX&source=en&target=es&q=test HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 6 Build/LVY48H)
keytool -list -v -keystore /path/to/my/keystore
keytool -list -printcert -jarfile myAppName.apk
When using a Google REST-only API, such as Translate, you'll need to use
GoogleAuthUtil, which will generate a token for a specific user and package/fingerprint. However, that requires
GET_ACCOUNTS permission, which smart users are wary of.
You could also use the
getAuthToken() method, but that would require not only the
GET_ACCOUNTS permission, but also
You might be best off using an API key and obscuring it a bit.