Protecting YouTube v3 API key in a client-side application

Question

I'm looking at the following guide: https://developers.google.com/youtube/v3/getting-started

The first step of interacting with YouTube's API is:

You need a Google Account to access the Google Developers Console, request an API key, and register your application.

And they continue on to show an example where they use the key:

URL: https://www.googleapis.com/youtube/v3/videos?id=7lCDEYXw3mM&key=YOUR_API_KEY &part=snippet,contentDetails,statistics,status

I have a client-side application which is used by many people. The application issues search requests to YouTube's API. YouTube's API has a request limit of 50 million requests per day.

Since it's a client-side application, my API key is embedded into the code.

Today, a malicious user scripted something to max out the requests:

I'm wondering what recourse I have to be able to defend against this sort of activity. Is my only option to host a server, route all needs for YouTube's API through my server, and deny requests when they come too frequently?

I have real concerns about implementing something like that. It would effectively double the wait time for every API request and also tax the server a seemingly unnecessary amount, but perhaps it is needed.

Do I have any other options available to me?

Thanks

Answer 1

Don't think it is a malicious user. I think something's wrong on YouTube's side, since I'm seeing exactly the same issue with API requests made from my app