At a high level we recommend:
- Create a unique API Key for each environment
- Set Application Restrictions so each API Key is only usable in its designated environment
- Set API Restrictions so each API Key has just the minimal set of APIs it needs to call enabled
- Never leave API Keys unrestricted
But you don't have to take our word for it—Google has an excellent best practices guide.