https://cloud.google.com/docs/authentication/api-keys?hl=en&...
It's not perfect; there are ways to subvert it. But it makes it trickier for somebody to make much of a profit off it, reducing interest in stealing the key.