Configuring restrictions for API keys

An API key can be linked to domains or IP addresses to restrict requests from other sources. This setting prevents you from using your key in third-party services.

Note

The restriction only applies to billable requests. The map will appear on another website, but billable operations won't work.

What restrictions can apply

IP address — Address of the device the request was sent from.  For requests sent from websites, this is the address of the user's device (not the address of the website hosting server). For requests sent from a server or local device, the IP matches the external address of the server or device.

Domain — Domain passed in the Referer header of a request. For requests sent from websites, the header is usually specified automatically and matches the page address. Some websites use containers or may not send the Referer. If a request is sent from a server or local device (for example, using curl), you should specify the header yourself.

How to add settings for API keys

To specify allowed domains and IP addresses for your API key:

  • Go to the Developer Dashboard.

  • Select the key you need and click Edit.

  • List the IP addresses you can make requests from, one address per line. IPv4, IPv6, and subnets are supported. For example, you can specify addresses this way:

    192.0.2.0
192.0.2.0/24
2001:db8::/32

    Note

    When loading the map, the user's device IP is used. When working with the JSAPI, we recommend using a domain restriction.

  • List the domains that you can make requests from. Domain information is passed in the Referer header. Domains are listed one per line, without specifying the protocol, port, URL scheme, or parameters (for example, yandex.ru). All subdomains are automatically added to the list of allowed ones. For example, you can specify domains as follows:

    yandex.ru
yandex.com
maps.yandex.ru
example.com

The entered restrictions are applied within 15 minutes of filling out the form.

How API key restrictions are checked

Key checks are performed as follows:

  • If both the IP address and domain are specified, only one value has to match. For example, a user from an unknown IP can use the map on the specified website.
  • If only the domain is specified, it must match the Referer header.
  • If only the IP address is specified, it must match the IP of the request source.
  • If the fields are empty, the map can be used on any domain and from any IP.

How to display a map in a container

When displaying the map in containers, such as WebView or iframe, the user's device may pass an invalid HTTP referer. Below are recommendations for working with popular containers.

iframe

Modern web browsers pass the address of a loaded page in the iframe element. Just specify the domain of the page with the map in the Developer Dashboard.

Android webView

When using webView on Android devices, specify the Referer header via the advanced loadUrl function:

// Website to be loaded to webView.
String url = "http://www.myserver.com/";

// Map indicating the Referer header.
Map<String, String> headers = new HashMap<String, String>();
headers.put("Referer", "http://www.mymap.com/map.html");

// Loading webView with required parameters.
WebView wv;
wv = (WebView) findViewById(R.id.webview);
wv.loadUrl(url, headers);
iOS UIWebView

When using UIWebView on iOS devices, specify the Referer header in a request sent to UIWebView. Do this using the - setValue:forHTTPHeaderField: method. For example, you can specify it as follows:

NSMutableURLRequest* request = ...;
[request setValue:@"http://www.mymap.com" forHTTPHeaderField: @"Referer"];
In this article: