First

Which Google Cloud Platform project should I create a Cloud Endpoints API key in?

Do you need to set up different API key restrictions?

Yes
No

"An API key is unrestricted by default. Unrestricted keys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides.

"For production applications, set both application and API restrictions."

Adding restrictions to API keys