There’s something I don’t understand about signatures in Google Maps APIs.
The documentation says "We strongly recommend that you use both an API key and digital signature, regardless of your usage". In this case we are talking about the Maps Static API, where requests are made by the frontend with a URL that generates an image to embed on your website. API keys should be restricted by referrer, so nobody else will be able to steal your key and use it in another project. So what’s the purpose of also adding a signature to the request?
As far as I know, signatures are used to make sure the request isn’t modified by an attacker. But I don’t think any parameters in Google Maps APIs can be abused in this case. What’s even more confusing is the fact that if you check out other Google Maps APIs like the Distance Matrix API or the Roads API, they only recommend you restrict your API key (by referrer) and don’t mention anything about adding a signature.
So is a signature really needed or not? And why?