Truffle Security researchers found that with the release of the Gemini API, Google has changed how it handles API Keys, elevating them from “non‑critical tokens” into full‑fledged secrets. Keys now grant access to paid LLM endpoints and can be abused to make unauthorized requests on behalf of the owner. 

The article explains that previously Google API Keys were previously considered safe to embed in client-side code because they were restricted to a domain or app, but now the same key can authorize requests to generativelanguage.googleapis.com. This creates a new class of leakage risks: if a key is compromised, an attacker can exhaust paid quotas and access project data without further authentication. 

📎 Article: https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules 

💬 Discuss

Google API Keys Security Model Changes After Gemini Launch