Google API Keys and Gemini: What You Should Know

Recently, security researchers discovered that Application Programming Interface (API) keys used by websites to connect to services like Google Maps or Firebase may not be as secure as once thought. With the introduction of Google’s AI platform Gemini, some of these same keys can now be used to access additional services if certain settings are enabled in a Google Cloud account. This means that keys that were previously considered harmless may now allow access to AI features that were never intended to be public.

The risk is that if a key is visible on a website and the Gemini AI service is enabled in the same Google Cloud project, someone could potentially use that key to interact with the AI service or generate usage charges. While Google is working on improvements and protections, it’s still a good idea for businesses to review their settings and ensure their keys are properly restricted.

What business should do:

• - Check if the Gemini API is enabled - Log in to the Google Cloud Console and review APIs & Services > Enabled APIs to see whether the Generative Language (Gemini) API is active in any of your projects.

• - Review existing API keys - Go to APIs & Services > Credentials and confirm that each API key is restricted to only the specific services it needs (for example, limiting a key to Google Maps only).
• - Apply application restrictions - Ensure API keys are restricted to specific websites (HTTP referrers), IP addresses, or applications so they cannot be used outside their intended environment.
• - Avoid unrestricted or publicly exposed keys - Check that API keys embedded in website code are not set to “unrestricted” and cannot access services beyond their intended purpose.
• - Rotate exposed API keys - If an API key has been publicly visible in website code or repositories, generate a new key and disable the old one to prevent potential misuse.
• - Work with a developer or IT provider - A developer or IT provider can audit your Google Cloud configuration and ensure your API keys and permissions follow recommended security practices.

As AI services continue to expand, regularly reviewing your API settings is a simple but important step to keep your systems secure.