Google cloud API keys must be in your front-end code, even the Google Maps sample code has an unprotected api key, and it is safe to include as long as it is properly restricted.

Sample code: https://github.com/googlemaps-samples/codelab-maps-platform-101-react-js/blob/main/solution/src/app.tsx

You can see more ways to restrict your api key access here: https://developers.google.com/maps/documentation/javascript/get-api-key#restrict_key Make sure to restrict your api key to the specific referrer URLs

You can also implement rate limiting: https://developers.google.com/maps/documentation/javascript/usage-and-billing#set-caps