“Google’s documentation said API keys were not credentials. Gemini’s API contradicts that, and the entire ecosystem of leaked keys just became dangerous.”
For years Google insisted that an API key was a public identifier, not a secret. Devs leaked them by the millions in mobile apps and public repos. Then Gemini launched and the same kind of key now grants access to per-request billing on a model that costs real money. Google did not announce the change, did not rotate the existing keys, and did not warn the developers sitting on a decade of public exposure. The bills will arrive shortly.