You're asking how to keep this key secret, right?
Read this discussion:
The conclusion is you better not embed this directly into a VFP executable. Because in the end Fiddler added as a proxy can record HTTP traffic, even HTTPS.
The solution is to have your own proxy on an own domain in conjunction with using Googles own key management mechanisms to restrict key usage from one domain only, your proxy service domain.
Now the problem only seems to be shifted, as your own domain needs to act as a proxy between your EXE which means now your domain is becoming the target, anyone could use your key by using your proxy. You have some advantages, even though the communication of your EXE with your proxy can still be eavesdropped on. Your proxy may only support part of the functionality and using it only gives an attacker the ability to use the rate limit. It already is far less interesting. Besides, as long as you only use what you get free by using a free key, that key is not really valuable for neither you nor Google nor others, as everyone can get free keys.
And aside of that with your own proxy, the part of the communication between your EXE and your proxy is totally up to you, you can sign every request with one time keys or do whatever you want that makes eavesdropping on this communication useless. The part of the communication between your proxy and Google is protected by the Google API key restriction, your domain bound key is useless for others, and you should trust your hoster enough both to protect your server-side code and not use keys deposited there themselves.
Bye, Olaf.
Olaf Doschke Software Engineering
