Restricting website usage for Google Maps API doesn’t prevent it from being used in the browser?


Say I’ve restricted my Google Maps API key to the website abc.com/*. This would mean that no other website domains could use my API key to make requests to maps.googleapis.com.

However, using the API key through the browser url bar to make requests to maps.googleapis.com still works fine. Calls made through Postman also work.

What’s the explanation for this and is there an elegant way to prevent this?

Btw, I’m using the Maps Static & Javascript API. From my understanding both are client-side Maps API and called from the browser?