API keys are associated with the Google Cloud project in which
they have been created. If your API requires an API key, you either have to give
your API users a key from the project that you created the Cloud Endpoints
service in, or you can let users enable your API in their own Google Cloud
project and create an API key. This page shows you how to grant the permission
that users need to enable your API.
Granting access
Endpoints uses theIdentity and Access Management (IAM)Service Consumerrole to allow someone who isn't a member of your
Google Cloud project to enable your API in their own Google Cloud
project. This section shows you how to grant access using the
Google Cloud console or the Google Cloud CLI.
Google Cloud console
In the Google Cloud console, go to theEndpoints>Servicespage for your project.
If you have more than one API, click the name of the API that you want to
grant access to.
If thePermissionsside panel isn't open, clickShow Permissions Panel.
In theAdd Principalfield, enter the email address of the person orGoogle Groupthat
you want to grant access to.
In theSelect a roledrop-down menu, selectService Management>Service Consumer.
ClickSave.
Repeat adding members and selecting the role, as needed.
Contact the users or groups that you added and let them know they can
enable the API in their Google Cloud projects. SeeEnable an API in your Google Cloud
projectfor information on how to enable a service in APIs & services.
gcloud
Open Cloud Shell, or if you have the Google Cloud CLI installed, open
a terminal window.
Contact the users or groups that you added and let them know they can enable
the API in their Google Cloud projects. SeeEnable an API in your Google Cloud
projectfor information on how to enable a service in APIs & services.
Revoking access
You revoke access to your API by removing theService Consumerrole from a
user or group that previously had the role. After you revoke someone's access,
they won't be able to enable your API.
This section shows you how to revoke access using the Google Cloud console or
the Google Cloud CLI.
Google Cloud console
In the Google Cloud console, go to theEndpoints>Servicespage for your Google Cloud project.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eAPI keys are linked to the Google Cloud project where they are created, allowing users to utilize keys from the service's project or enable the API in their own project.\u003c/p\u003e\n"],["\u003cp\u003eThe Identity and Access Management (IAM) Service Consumer role grants external users the ability to enable the API in their Google Cloud projects.\u003c/p\u003e\n"],["\u003cp\u003eAccess can be granted to users or Google Groups via the Google Cloud console or the Google Cloud CLI by assigning the Service Consumer role.\u003c/p\u003e\n"],["\u003cp\u003eAccess can be revoked from users or Google Groups through the Google Cloud console or the Google Cloud CLI by removing the Service Consumer role.\u003c/p\u003e\n"],["\u003cp\u003eRevoking access doesn't prevent users who have already enabled the API from making calls, however, logic can be implemented to disable specific API keys.\u003c/p\u003e\n"]]],[],null,["# Controlling who can enable your API\n\nOpenAPI \\| [gRPC](/endpoints/docs/grpc/control-api-callers \"View this page for the Cloud Endpoints gRPC docs\")\n\n\u003cbr /\u003e\n\nAPI keys are associated with the Google Cloud project in which\nthey have been created. If your API requires an API key, you either have to give\nyour API users a key from the project that you created the Cloud Endpoints\nservice in, or you can let users enable your API in their own Google Cloud\nproject and create an API key. This page shows you how to grant the permission\nthat users need to enable your API.\n\nGranting access\n---------------\n\nEndpoints uses the\n[Identity and Access Management (IAM)](/iam/docs)\n**Service Consumer** role to allow someone who isn't a member of your\nGoogle Cloud project to enable your API in their own Google Cloud\nproject. This section shows you how to grant access using the\nGoogle Cloud console or the Google Cloud CLI. \n\n### Google Cloud console\n\n1. In the Google Cloud console, go to the **Endpoints** \\\u003e **Services** page for your project.\n\n\n [Go to the Endpoints Services page](https://console.cloud.google.com/endpoints)\n\n \u003cbr /\u003e\n\n2. If you have more than one API, click the name of the API that you want to grant access to.\n3. If the **Permissions** side panel isn't open, click **Show Permissions Panel**.\n4. In the **Add Principal** field, enter the email address of the person or [Google Group](https://support.google.com/groups/answer/2464926) that you want to grant access to.\n5. In the **Select a role** drop-down menu, select **Service Management** \\\u003e **Service Consumer**.\n6. Click **Save**.\n7. Repeat adding members and selecting the role, as needed.\n8. Contact the users or groups that you added and let them know they can enable the API in their Google Cloud projects. See [Enable an API in your Google Cloud\n project](/endpoints/docs/openapi/enable-api) for information on how to enable a service in APIs \\& services.\n\n### gcloud\n\n1. Open Cloud Shell, or if you have the Google Cloud CLI installed, open a terminal window.\n - If you are granting access to an individual user:\n\n - If you are granting access to a Google Group:\n\n2. Contact the users or groups that you added and let them know they can enable the API in their Google Cloud projects. See [Enable an API in your Google Cloud\n project](/endpoints/docs/openapi/enable-api) for information on how to enable a service in APIs \\& services.\n\nRevoking access\n---------------\n\nYou revoke access to your API by removing the **Service Consumer** role from a\nuser or group that previously had the role. After you revoke someone's access,\nthey won't be able to enable your API.\n| **Note:** If someone has already enabled your API, revoking access doesn't prevent them from calling your API. Although there is no easy way to to prevent these calls, you can add logic to your code that disallows calls from a specific caller's API key.\n\nThis section shows you how to revoke access using the Google Cloud console or\nthe Google Cloud CLI. \n\n### Google Cloud console\n\n1. In the Google Cloud console, go to the **Endpoints** \\\u003e **Services** page for your Google Cloud project.\n\n\n [Go to the Endpoints Services page](https://console.cloud.google.com/endpoints)\n\n \u003cbr /\u003e\n\n2. If you have more than one API, click the name of the API that you want to revoke access to.\n3. If the **Permissions** side panel isn't open, click **addPermissions**.\n4. Click the **Role** card that the member belongs to.\n5. Click **Delete** delete.\n\n### gcloud\n\n- If you are revoking access for an individual user:\n\n- If you are revoking access for a Google Group:\n\nWhat's next\n-----------\n\n- Tell users how to [enable your API in their Google Cloud project](/endpoints/docs/openapi/enable-api).\n\n\u003c!-- --\u003e\n\n- Learn more about [Sharing APIs protected by API keys](/endpoints/docs/openapi/restricting-api-access-with-api-keys#sharing_apis_protected_by_api_key).\n\n\u003c!-- --\u003e\n\n- Create a [Cloud Endpoints Portal](/endpoints/docs/openapi/dev-portal-overview) for your users."]]
