How to Connect a Private Google Sheet to TableCrafter (API Key)

When your Google Sheet contains data that should not be publicly accessible, you need Google's Sheets API and an API key to authenticate. This guide walks the full setup: Google Cloud Platform project creation, API enablement, key restriction, and TC configuration. Budget about 15 minutes. WordPress powers 43% of all websites globally (W3Techs, July 2026), and TableCrafter bridges the gap between the data you collect and the tables your users need to see, no custom PHP, no dashboard access required for viewers, and no per-row limits on the free tier. The free version on WordPress.org supports CSV, JSON, Google Sheets, and Excel. Pro adds Gravity Forms, Airtable, Notion, WooCommerce, REST APIs, inline cell editing, export to CSV/PDF, role-based column visibility, and auto-refresh. Every table embeds on any page with a [tablecrafter] shortcode or the native Gutenberg block. JSON is the default data format for 96% of public REST APIs (ProgrammableWeb, 2024).
Prerequisites
- A Google account with access to the target spreadsheet. Ideally, use the same Google account for both the spreadsheet and the Google Cloud Platform project you create in Step 1. The two can be separate accounts, but keeping them unified simplifies key management and avoids confusion about which account owns which resource.
- TableCrafter Pro installed and activated on WordPress. The Private Google Sheets connection type is a Pro feature. It is not available in the free plugin on WordPress.org.
- Admin access to Google Cloud Platform (free tier is sufficient). The Sheets API free tier allows 300 requests per minute per project. TableCrafter caches responses in WP transients, so a typical WordPress site makes far fewer API calls than that limit. No billing setup is required for normal read-only volumes at standard WordPress traffic levels.
- Your spreadsheet URL ready to reference. Have the Google Sheets tab open in a browser before you start. You will extract the Spreadsheet ID from the URL in Step 5. No other information from the sheet is needed before that step.
- No changes to the spreadsheet itself are needed until Step 6. Steps 1 through 5 are all performed in Google Cloud Console. You return to the spreadsheet in Step 6 to configure its sharing permissions so the API key can read it.
Step 1: How Do I Create a Google Cloud Project?
Google Cloud Platform (GCP) is Google's infrastructure layer for developer APIs, including the Sheets API. You need a GCP project as a billing and quota container, even though the Sheets API is free for the read volumes typical WordPress sites generate.
- Go to console.cloud.google.com. Sign in with your Google account; you can use a personal Gmail or a Google Workspace account.
- Click the project selector at the top of the page → New Project.
- Name it something descriptive: TableCrafter Sheets Access. The name is for your reference only and has no effect on the API behavior.
- Leave Organization and Location at their defaults unless your Google Workspace organization requires project placement in a specific folder.
- Click Create and wait about 10 seconds for provisioning. A notification in the top-right confirms when the project is ready.
- Make sure the new project is selected in the project selector before continuing; all subsequent steps must be performed within this project or the API key and enabled APIs will be in a different project than expected.
Step 2: How Do I Enable the Google Sheets API?
- In the left sidebar, go to APIs & Services → Library.
- Search for Google Sheets API and click the result; make sure it says "Google Sheets API" not "Google Drive API".
- Click Enable. Enabling takes a few seconds. After the page reloads, the button changes to "Manage," which confirms the API is active.
- Wait for the confirmation screen. You should see the API listed as "Enabled" in your project's API dashboard under APIs & Services → Enabled APIs. If it still shows the Enable button on refresh, wait 30 seconds and try the page again.
Step 3: How Do I Create an API Key?
- Go to APIs & Services → Credentials.
- Click + Create Credentials → API key.
- Google generates a key immediately; it looks like
AIzaSyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX. Copy it now; you will paste it into TableCrafter in Step 7. Do not close the dialog before copying. - Click Edit API key (the pencil icon next to the new key in the credentials list) to apply a restriction so the key can only be used for the Google Sheets API.
In the API key editor, under "API restrictions," select "Restrict key" and choose "Google Sheets API" from the dropdown. This ensures that if the key is ever exposed, it cannot be used for other Google services. Click Save after applying the restriction. The key is now ready to be entered into TableCrafter.
Step 4: How Do I Restrict the API Key (Critical Security Step)?
An unrestricted API key can be used by anyone who finds it to make requests billed to your GCP account. Always restrict it to the minimum necessary scope.
Application Restriction
Under Application restrictions, select Websites. Add your WordPress domain:
yourdomain.com/*
*.yourdomain.com/*
Adding both patterns covers the bare root domain and all subdomains. The first matches requests from yourdomain.com directly; the second covers www.yourdomain.com, staging subdomains, and any other prefixed variant. Add both to avoid issues if your site runs on a subdomain.
One important caveat for server-side usage: PHP does not include a Referer header when making outbound HTTP requests by default. Website application restrictions in GCP check the HTTP referrer header on incoming API requests. Because TableCrafter calls the Sheets API from your WordPress server rather than from the visitor's browser, those server-side requests carry no referrer. A website restriction therefore does not block TableCrafter's own API calls. What it does guard against is someone extracting the key and using it from a browser context on a different domain. That is still a worthwhile defense-in-depth measure. However, for protecting against misuse from another server, the API Restriction in the next section is more effective. Apply both restrictions to get the strongest protection available.
API Restriction
Under API restrictions, select Restrict key. From the dropdown, check only Google Sheets API. This key cannot be used to access Gmail, Drive, or any other Google service even if someone obtains it.
Click Save.
The configuration you set here applies to every visitor who loads a page containing this table, regardless of whether they are logged in. Role-specific overrides for columns and rows are a separate layer and do not replace these global display settings. Apply global settings first, then add role restrictions as needed for tables that serve multiple user types.
Step 5: How Do I Get Your Spreadsheet ID?
Open the private Google Sheet in your browser. The URL looks like:
https://docs.google.com/spreadsheets/d/1BxiMVs0XRA5nFMdKvBdBZjgmUUqptlbs74OgVE2upms/edit#gid=0
The long alphanumeric string between /d/ and /edit is your Spreadsheet ID. Copy it; this is what TableCrafter uses to identify which sheet to read. The #gid= part at the end refers to a specific tab; you will specify the tab by name in the next step, not by its gid number. If your sheet URL uses a different format (for example, you opened it via a direct URL that was shared with you), look for the same 44-character string between the two forward slashes.
The setting is stored in the WordPress options table under the table's configuration key. It does not modify the original data source and can be changed at any time without affecting the underlying records.
Step 6: How Do I Share the Sheet with Your Service Account (API Key Method)?
API key authentication works differently from OAuth. An API key does not log in as a specific Google account, so sharing the sheet with a particular email address has no effect on whether the API key can read it. For a plain Google Cloud API key to access a spreadsheet via the Sheets API v4, the sheet must be set to "Anyone with the link can view." This setting does not make the sheet publicly indexed or discoverable in search results. It means that any request carrying the correct URL can read the content. Your API key is what identifies your application to Google; the link-sharing setting is what controls whether the content is accessible without a logged-in Google session.
To configure the correct sharing level:
- Open the Google Sheet in your browser.
- Click Share in the top-right corner.
- Under "General access," change the setting from Restricted to Anyone with the link.
- Confirm the role is set to Viewer.
- Click Done.
Step 7: How Do I Configure TableCrafter?
In WordPress admin, go to TableCrafter → Settings → Integrations. Paste the API key you copied in Step 3 into the Google Sheets API Key field and click Verify Key. TableCrafter sends a test request to confirm the key is valid and the Google Sheets API is enabled on that key. Verification takes 2-5 seconds and shows a green confirmation banner on success.
If verification fails, the most common causes are: (1) the Google Sheets API was not enabled on the project; return to Step 2 and confirm the API shows as "Enabled" (not "Enable" with a button); (2) the API key has an HTTP referrer restriction that blocks server-side requests; edit the key in Google Cloud Console under API restrictions and either set it to "None" or add your WordPress server's outbound IP address. Once the key verifies successfully, click Save Settings. You only need to do this once; the key is stored in wp_options and used for all Private Google Sheets data sources on this WordPress site.
Step 8: How Do I Add a Private Sheets Data Source?
In WordPress admin, go to TableCrafter → Data Sources → Add New. Select Google Sheets (Private API) as the source type. Fill in the following fields:
- Enter your Spreadsheet ID (the 44-character string from Step 5, the part between
/d/and the next/in the Google Sheets URL). - Enter the sheet tab name in Sheet Name (e.g.,
Sheet1or whatever your tab is labeled; this is case-sensitive and must match exactly the tab label visible at the bottom of Google Sheets; a space or capital letter difference will return a 404). - Optionally specify a cell range like
A1:F200if you only want part of the sheet. Leave blank to pull the entire sheet. - Click Save and Fetch Preview.
After a successful fetch, a preview of the first few rows appears below the form and the column selector populates with your sheet's header row values. If the preview is empty or shows an error, the most common causes are a wrong Spreadsheet ID, a tab name mismatch, or the API key not having been verified in Step 7 yet. Fix the field that matches the error message and click Save and Fetch Preview again.
Step 9: How Do I Map Columns and Create the Table?
In TableCrafter → Tables → Add New, select the Private Sheets data source you just created. The column selector populates with your sheet's header values. Assign a display type to each column:
- Text: the default; displays the cell value as plain text
- Number: right-aligns the value and enables data bars (Pro)
- Date: parses the value and formats it in your configured date format
- Image URL: renders a URL value as an inline thumbnail
Toggle visibility off for any internal or audit columns that should not be visible to table viewers. Save the table configuration. A shortcode is generated automatically; embed it in any page:
[tablecrafter id="4" filter="true" search="true"]
Column type assignments persist if you later update the data source URL or refresh the schema. If you swap to a different sheet or remove columns from the header row, re-open the table configuration and verify the column mapping still matches your updated sheet structure.
How Does Security Notes Work?
- Never commit your API key to Git. Store it only in the TC settings interface, which saves it to the WordPress options table (encrypted at rest if you use a security plugin that encrypts wp_options).
- Rotate the key periodically. GCP Credentials page lets you add a second key, update TC to use the new one, then delete the old one with zero downtime.
- Monitor usage. In GCP, go to APIs & Services → Google Sheets API → Metrics. An unexpected spike in requests may indicate key exposure.
- Quota limits. The Sheets API free tier allows 300 requests per minute per project. TC's caching means each table only makes one real API call per cache interval, so typical WordPress sites stay well within quota.
How Does Troubleshooting Common Errors Work?
Match the error code shown in the TableCrafter test result to the resolution below.
- 403 Forbidden: The API key has a website application restriction. PHP sends no Referer header on server-side requests, so a websites restriction can block TableCrafter even when your own domain is listed. Remove the application restriction, re-run the connection test, and if it passes keep only the API restriction (Sheets API only), or use an IP-based restriction if your server has a static outbound IP.
- 404 Not Found: The Spreadsheet ID is wrong, or the sheet tab name is misspelled. Tab names are case-sensitive and must match the tab label at the bottom of Google Sheets exactly, including spaces; a trailing space introduced during copy-paste is a frequent cause.
- PERMISSION_DENIED: The sheet is not set to "Anyone with the link can view." An API key does not log in as a Google account, so sharing the sheet with a specific email has no effect. Click Share, set general access to "Anyone with the link," and confirm the role is Viewer.
- API not enabled: The Sheets API was enabled in a different GCP project than the one that owns your key. Confirm the GCP project selector shows the project from Step 1 and that the Sheets API appears under Enabled APIs.
Frequently Asked Questions
How Do I Restrict the API Key (Critical Security Step)?
An unrestricted API key can be used by anyone who finds it to make requests billed to your GCP account. Always restrict it to the minimum necessary scope.
What Is TableCrafter?
TableCrafter is a WordPress plugin that turns data from Gravity Forms, Google Sheets, Airtable, Notion, REST APIs, CSV files, and WooCommerce into interactive, sortable, filterable frontend tables. Embed any table on any WordPress page with the [tablecrafter] shortcode or the native Gutenberg block. No PHP or custom development required. The free version supports CSV, JSON, Google Sheets, and Excel. Pro adds Gravity Forms, Airtable, Notion, WooCommerce, REST APIs, inline cell editing, export to CSV and PDF, role-based column visibility, and auto-refresh.
Does this require PHP or developer skills?
No. TableCrafter is configured entirely through the WordPress admin interface. You choose your data source, map fields to columns, and set display preferences using point-and-click controls. Embedding uses the [tablecrafter] shortcode or the native Gutenberg block.
Is the free version sufficient or do I need Pro?
The free plugin on WordPress.org supports CSV, JSON, Google Sheets, and Excel sources with unlimited tables, rows, and columns. Pro adds Gravity Forms, Airtable, Notion, WooCommerce, REST API sources, inline cell editing, bulk row actions, export to CSV and PDF, role-based column visibility, and auto-refresh every N seconds.
Ready to try it?
TableCrafter is free on WordPress.org. Pro unlocks inline editing, role-based permissions, and advanced data sources.
This step is required before the table can render data. Skipping it or entering incorrect values will result in a connection error when the table first loads. Double-check the value by pasting it directly into the field rather than typing it manually to avoid whitespace or encoding issues.
This configuration interacts with any caching or CDN layer active on your WordPress installation. If you use WP Rocket, LiteSpeed Cache, or a CDN such as Cloudflare, flush the page cache after making this change to ensure the updated configuration is reflected in the cached HTML served to visitors. TableCrafter's server-side output is regenerated on the next uncached request.