title: Google API Keys Weren't Secrets. But then Gemini Changed the Rules.
author: u/Chaoticblue3
contenttype: redditpost
publication: r/programming
published: 2026-02-27T00:04:54+00:00
sourceurl: https://www.reddit.com/r/programming/comments/1rfr1jg/googleapikeyswerentsecretsbutthengemini/
word_count: 86
Link: https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules
Score: 388 | Comments: 18 | Subreddit: r/programming
Top Comments
u/TheRealKidkudi (126 pts):
This feels like a big miss that should’ve been an obvious catch by Google. We’ll never know, but I’m curious how the decision was even approved to use the same publishable keys for Gemini.
u/MooseBoys (59 pts):
WHOOPS!
WHOOPSIE!
u/Kok_Nikol (32 pts):
I might be imagining things, but that warning that a key is unrestricted wasn't always there right?
Maybe the change was prompted by this finding
u/Chaoticblue3 (33 pts):
Hacker News Discussion: https://news.ycombinator.com/item?id=47156925
u/Bartfeels24 (8 pts):
The problem is you still need to restrict API keys at the endpoint level, and Google's restriction options don't cover Gemini the way they cover other APIs, so you're back to hoping rate limiting catches abuse before your bill explodes.
u/Snowflake2592 (28 pts):
Neither the authn nor the article pass the Turing test.
u/Lowetheiy (11 pts):
Cool story, but it turned into an ad for TruffleHog by the end.