You can configure your API key to whitelist by host which tells Google Maps to only allow the API key to be used from a site sending a referrer that matches your whitelist.

If some other site uses your API key, they’ll get this error message on load:

This web site needs a different Google Maps API key. A new key can be generated at http://code.google.com/apis/maps/documentation/javascript/v2/introduction.html#Obtaining_Key.

You can verify this yourself by using the RefControl extension for FireFox:

• Using the extension, Override your referrer to, say, http://www.microsoft.com/
• Access an example site for google maps that’s not hosted by google – e.g., http://econym.org.uk/gmap/example_controlpos.htm
• You should get the error.

This works because:

• Practically all web browsers send a referrer (i.e., the URI of the resource which links to it) as part of a request.
• For someone to steal your API key (since as you say, it’s a publicly available string), they would need to tell all their users to override their referrers to match the site they stole it from (which clearly isn’t practical).

Note that Google seem to allow requests that contain no referrer – I guess the amount of browsers that are configured to exclude this information is minuscule and therefore not worth caring about.