Leaked Google API keys can unlock Gemini API access and surprise bills

Exposed client-side Google API keys may now authenticate Gemini requests and rack up costs for unsuspecting users.

Old Google API keys become a liability

Google Cloud API keys have long appeared in public JavaScript to power Maps, YouTube embeds, analytics and Firebase features. Historically, many teams treated those strings as “ok to expose,” mainly because they were often used as project identifiers.

However, that assumption weakened as Gemini adoption surged. Some projects enabled Gemini’s Generative Language API, and the same Google API keys used to identify projects could suddenly authenticate AI requests. This dramatically altered the practical impact of keys sitting in the page source.

Thousands of exposed keys found

After scanning the November 2025 Common Crawl, TruffleSecurity researchers identified more than 2,800 live Google API keys embedded on public pages, spanning multiple industries and even Google-owned web properties.

They showed how an exposed key could be used to query Gemini API endpoints (such as listing available models), quickly increasing the issue’s blast radius to both data access and billing abuse.

Google filed it as a privilege escalation

The core issue is that a key that was exposed for years can gain even more dangerous privileges once Gemini is enabled in the associated cloud project. To make matters worse, this can occur without the developer ever touching the website code.

Google reportedly categorized the issue as a single-service privilege escalation and says it has implemented protections. Google’s Gemini API troubleshooting guidance also indicates the company is proactively blocking Gemini from accessing known leaked keys.

What to do right now

If you’re in the situation above, you can start by auditing whether the Generative Language API is enabled in any of your projects. Proceed to inventory every API key and rotate anything that may be public, apply strict API key restrictions (referrers, IPs and allowed APIs) and move sensitive calls server-wide where possible.