Google API Keys Weren’t Secrets—Until Gemini Broke Everything

Google API Keys Weren't Secrets—Until Gemini Broke Everything Google spent fifteen years telling developers that API keys aren't secrets. Their documentation literally instructs you to paste them into HTML. Firebase's security checklist explicitly states it. Maps JavaScript tutorials show it as best practice. Then Gemini dropped and retroactively turned two decades of following instructions into a security disaster. Here's the thing: Google Cloud uses a single key format (the AIza... prefix) for two completely different purposes: public project identification and sensitive API authentication. When the Gemini API gets enabled on a project, every API key in that project—including the ones you embedded in client-side code years ago—silently gains access to private Gemini endpoints. No warning. No email. No opt-in. I've been saying "keys are not credentials" for years. That's the whole point of Google's design: API keys are for billing and routing, not secrets. But Gemini fundamentally bro

Google API Keys Weren’t Secrets—Until Gemini Broke Everything

Related Articles

Week 6 — No New Problems. Just Me and Everything I Already Learned.

What OpenClaw Gets Wrong Out of the Box (And How to Fix It)

Android Remote Compose：讓 Android UI 不用發版也能更新

Learn Something Old Every Day, Part XVIII: How Does FPU Detection Work?

“Learn to Code” Is Dead… Learn to Think Instead

Related Articles

How-To
Week 6 — No New Problems. Just Me and Everything I Already Learned.
Medium Programming • 2d ago

How-To
What OpenClaw Gets Wrong Out of the Box (And How to Fix It)
Medium Programming • 3d ago

How-To
Android Remote Compose：讓 Android UI 不用發版也能更新
Medium Programming • 3d ago

How-To
Learn Something Old Every Day, Part XVIII: How Does FPU Detection Work?
Lobsters • 3d ago

How-To
“Learn to Code” Is Dead… Learn to Think Instead
Medium Programming • 3d ago