Tutorials / How to use Domain Whitelisting to Secure HERE API Keys
Last Updated: July 24, 2020


In this tutorial we will show you how to secure HERE API keys. Please note: This may not be the best way for your solution. Please evaluate your requirements and use the best method for your operating environment. HERE also supports OAuth for generating access tokens.

In this tutorial we will show you how to add security to your API Keys. For this we use a method called “Domain Whitelisting.” Domain whitelisting allows you to tell HERE’s APIs from which domains to accept API requests. HERE will then ignore all other requests from other Domains that may have obtained your keys.

If you have multiple domains, you are in luck, HERE supports that as well. Lets get started.

By default, any website with your HERE Developer API Key may make API calls using your key.

If you want to limit access to your key from your domain, then you need to whitelist your domain on the HERE Developer Portal. You can whitelist your domain by following the tutorial below and adding it to the projects page section on the Developer Portal. You can add multiple domains but only a maximum 20 subdomains for each domain.

If you want to add more sub domains, you can contact us at selfservesupport@here.com.

After adding the domain in your whitelist, it may take up to an hour for the changes to go into effect.

If the domain is not found in the whitelist on the HERE Developer Portal, API requests will fail. You can see these errors in your web browser’s console.



  • A HERE Developer Account, if you don’t have one you can get one at developer.here.com
  • Publicly Hosted Domain Name: For this tutorial you will need a publicly hosted website using HERE APIs with a valid DNS name. To learn more about DNS Names see this article from Wikipedia.

How to Whitelist a Domain

To whitelist a domain:

Login to developer.here.com


Navigate to the Projects section or by clicking on developer.here.com/projects and then select your project.


After selecting the project, you will be able to see the checkbox under JAVASCRIPT section like below:


Please select the checkbox and you will see a popup and click on ok. popup

Enter your DNS name to whitelist and click on SAVE creation

Note: You can remove a whitelisted domain at any time by clicking on - symbol.

A Note about Securing your API key

A lot has been written on the best practices for securing API keys. We have shown you one way to do that using HERE’s Developer Portal. If you are interested in learning more about how to secure your API keys check out this article on FreecodeCamp.


Now that you know how to secure your API using Domain Whitelisting, check out our OAuth Tutorial which teaches you how to generate OAuth Bearer Tokens for your backend systems.

Next Steps

Explore more tutorials: