Google Cloud is implementing changes to better protect Gemini users from unauthorized API key abuse. Starting June 19th, 2026, the Gemini API will reject requests from unrestricted standard keys.

For years, Google told developers that Google API keys, used for Maps, Firebase ar other services, were not secrets.

Yet later, those same keys were given access to a new Gemini API, exposing users to trivially easy attacks. Hackers find exposed keys on websites, apps, repositories, and elsewhere, and rack up the bills, causing severe financial damage with little to no warning.

Truffle Security in February warned developers that seemingly harmless identifiers can be abused to generate thousands of dollars in charges and even leak private data. Google dismissed the initial disclosure but later acknowledged the issue.

Later, reports started piling up about developers receiving massive bills, sometimes 457 times larger than usual, and going bankrupt due to devastating Google Cloud charges without hard spending caps.

Google is now deprecating standard API keys for Gemini access in favor of a new key type.

“On June 19th, 2026: The Gemini API will reject requests from unrestricted standard keys. Standard API keys that have explicit restrictions applied will continue to work. This restriction prevents the unauthorized use of keys that might be shared publicly or linked to other services,” Google’s updated documentation reads.

This means that old API keys that weren’t intended for the Gemini API will no longer be able to burn tokens.

In September 2026, the Gemini API will completely reject all requests from standard keys as Google migrates Gemini to a new key type – “auth keys” – to further improve security.

Standard API keys will only be used to associate requests with a Google Cloud project for billing and quota purposes only, and will carry no caller identity.

Meanwhile, Auth (authorization) keys are sensitive credentials bound directly to a Google Cloud service account.

“When you use an authorization key, your requests are processed under the identity of that bound service account, enabling granular access control. Authorization keys are restricted to the Generative Language API (Gemini API) by default and provide fast-acting leaked key enforcement that quickly stops the usage of leaked keys detected by our systems,” the support page explains.

Beware that all new keys created in Google AI Studio are automatically auth keys.

The community welcomes the changes.

“Took them long enough, but Google is finally closing the unrestricted keyhole on the Gemini AP,” one of the posts on Reddit reads. “People have seen five-figure bills from exactly this.”

However, users suggest that the changes wouldn’t be necessary if this separation had been the default “years ago.”

To curb abuse, Google started blocking dormant keys starting May 7th, tightened the Google Cloud Console to require at least one API restriction to create an API key, and implemented other changes.

---

Unlock more exclusive Cybernews content on YouTube.