How to Create a Google Maps API Key for Your BMLT Server

If you run a BMLT (Basic Meeting List Toolbox) server, you need a Google Maps API key to power the map display, geocoding for new meeting locations, and the “find meetings near me” search. This guide walks you through creating that key, locking it down with HTTP referrer restrictions so it can’t be abused, and enabling only the two Google services BMLT actually needs.

Video Walkthrough

Prefer to watch instead of read? Here’s a video walkthrough that covers the same steps:

What You’ll Need Before You Start

• A Google account (a personal Gmail account works fine).
• A credit card for billing. Google Maps Platform requires billing to be enabled, but most BMLT servers stay well under the free monthly usage credit.
• The domain name where your BMLT server is hosted (for example, bmlt.example.org).
• Admin access to your BMLT server’s Server Administration page.

Step 1: Create a Google Cloud Project

1. Go to the Google Cloud Console and sign in.
2. Click the project drop-down at the top of the page (next to the “Google Cloud” logo).
3. Click New Project.
4. Give it a clear name like BMLT Maps and click Create.
5. Once the project is created, make sure it’s selected in the project drop-down.

Step 2: Enable Billing

Google Maps Platform won’t return any results until billing is enabled, even for free-tier usage.

1. From the navigation menu (the three-line “hamburger” icon at the top left), choose Billing.
2. Click Link a billing account (or Manage billing accounts → Add billing account if you don’t already have one).
3. Enter your payment information and link it to your new BMLT Maps project.

Note: Google Maps Platform includes a recurring monthly credit that covers the typical traffic of a regional BMLT server. Set up a budget alert if you want extra peace of mind.

Step 3: Enable the Two APIs BMLT Needs

BMLT uses two Google services:

• Maps JavaScript API — renders the interactive map on the meeting search page.
• Geocoding API — converts addresses to latitude/longitude when meetings are added or when users search by address.

Enable each one:

1. From the navigation menu, choose APIs & Services → Library.
2. Search for Maps JavaScript API, click it, and click Enable.
3. Go back to the Library, search for Geocoding API, click it, and click Enable.

Don’t enable any other APIs — the principle of least privilege keeps your key safer if it’s ever exposed.

Step 4: Create the API Key

1. From the navigation menu, choose APIs & Services → Credentials.
2. Click + Create Credentials at the top of the page and choose API key.
3. A dialog will appear with your new key. Copy it somewhere safe for now — you’ll paste it into BMLT in Step 6.
4. Click Edit API key (or click the pencil icon next to the key on the Credentials page) so you can lock it down.

Important: An unrestricted API key is a liability. Anyone who scrapes it from your website’s HTML can rack up charges on your billing account. The next two steps fix that.

Step 5: Add HTTP Referrer Restrictions

Referrer restrictions tell Google to only honor requests that come from your own website.

1. On the API key edit page, scroll down to Application restrictions.
2. Select Websites.
3. Under Website restrictions, click Add and enter each of the following patterns, replacing example.org with your real domain:

• https://bmlt.example.org/*
• https://*.example.org/* — only if you embed BMLT widgets on other subdomains
• https://example.org/* — only if you embed BMLT widgets on your root domain

Add an entry for every domain or subdomain that will load BMLT maps or use the BMLT JavaScript widgets. If your region’s website embeds the meeting search at narotics-anonymous-region.org, you need to add that too:

• https://narotics-anonymous-region.org/*
• https://www.narotics-anonymous-region.org/*

Tip: Wildcards only match a single segment. https://*.example.org/* matches bmlt.example.org but not example.org by itself, so list both if you need both.

Step 6: Restrict the Key to Just Those Two APIs

1. Still on the API key edit page, scroll down to API restrictions.
2. Select Restrict key.
3. In the drop-down, check the boxes for Maps JavaScript API and Geocoding API.
4. Click OK, then click Save at the bottom of the page.

Now the key is useless to anyone who steals it: it only works when called from your domains, and only against the two APIs you actually use.

Step 7: Add the Key to Your BMLT Server

1. Log in to your BMLT server’s admin interface as a Server Administrator.
2. Open Server Administration (the gear/settings area).
3. Find the Google Maps API Key field.
4. Paste the key you copied in Step 4.
5. Save your changes.

Reload your meeting search page. The map should render and address searches should resolve to coordinates. It can take a minute or two for newly enabled APIs to fully propagate on Google’s side.

Troubleshooting

• “This page can’t load Google Maps correctly” / gray map: Open your browser’s developer console. A RefererNotAllowedMapError means your current URL doesn’t match any of the referrer patterns — double-check the domain and the wildcards.
• Geocoding silently fails: Confirm the Geocoding API is enabled in the Google Cloud Console and checked under your key’s API restrictions. Both are required.
• “You must enable Billing” error: The project doesn’t have a billing account linked. Re-do Step 2.
• Map works on your test server but not in production: You probably restricted the key to your staging domain only. Add the production domain to the referrer list.

One Last Tip: Set a Budget Alert

Even with restrictions in place, set up a budget alert so you’ll get an email if usage ever spikes unexpectedly. In the Google Cloud Console go to Billing → Budgets & alerts → Create budget, set a small monthly amount (say, $10), and you’ll get a heads-up long before anything would actually be charged.

That’s it — your BMLT server now has a properly scoped, properly restricted Google Maps API key, and you can stop worrying about your key turning up in someone else’s project.