Security Best Practices

Follow these guidelines to keep your maps.guru integration secure in production.

API Key Security

Never Expose Keys in Client-Side Code

// BAD — key visible in browser source
const map = new maplibregl.Map({
  style: `https://api.maps.guru/v1/styles/basic/style.json?key=mapx_secret_key`
});

Instead, proxy through your backend:

// GOOD — key stays on your server
const map = new maplibregl.Map({
  style: '/api/map-style' // Your backend fetches with the API key
});

Use Environment Variables

# .env (never committed)
MAPS_GURU_API_KEY=mapx_your_key

// server.js
const apiKey = process.env.MAPS_GURU_API_KEY;

Separate Keys Per Environment

HTTPS Only

All maps.guru endpoints enforce HTTPS. Never use HTTP — it exposes your API key in transit.

Restrict Key Scopes

Follow the principle of least privilege:

• If an application only needs geocoding, create a key with only the geocoding scope
• If a frontend only displays maps, use a key with only the maps scope
• Never use the default all-scopes key in production

Monitor Usage

Set up monitoring to detect anomalies:

1. Check daily — Review the usage dashboard for unexpected spikes
2. Set alerts — Configure budget warnings in the admin dashboard
3. Audit keys — Regularly review which keys exist and revoke unused ones

Rotate Keys Regularly

Establish a key rotation schedule:

1. Create a new key
2. Deploy the new key to your application
3. Verify everything works
4. Revoke the old key
5. Repeat quarterly (or after any team member departure)

Incident Response

If you suspect a key has been compromised:

1. Revoke immediately — Go to Dashboard → API Keys → Revoke
2. Create a new key — Generate a replacement
3. Update applications — Deploy the new key
4. Review usage — Check for any unauthorized requests
5. Audit access — Review who had access to the compromised key