Security firm Aikido reported on May 21 that a deleted or revoked Google API key can keep authenticating requests for up to 23 minutes after a developer kills it — a window wide enough for anyone holding a leaked key to keep pulling files and cached Gemini conversation data out of the API after the owning team believes the exposure is closed.
A 23-minute revocation tail
Aikido researcher Joe Leon found that key revocation propagates gradually across Google's infrastructure rather than taking effect atomically. During the lag, behavior is inconsistent: success rates swing minute to minute, and in some minutes more than 80% of requests made with the revoked key still authenticate. The practical result is that an attacker who scrapes a key from a public repo, a log, or a client bundle does not lose access the instant the owner notices and rotates it.
Not every credential leaks the same way
The lag is specific to standard, long-lived Google API keys. Google's newer credential formats close far faster: service-account API credentials revoke in about five seconds, and Gemini's newer AQ-prefixed key format takes roughly a minute. That gap is the crux of Aikido's argument. "Both run at Google scale," Leon said of the faster-revoking formats. "Both suggest this is technically solvable for Google API keys, too."
Why a few minutes is a long time now
The finding matters because it breaks an assumption baked into most incident-response playbooks: that revoking a credential is instantaneous and final. Teams are trained to rotate a key the moment they spot exposure and treat the incident as contained. A multi-minute tail means containment is eventually-consistent, not immediate — and attacker tooling has collapsed the time it needs to act. Telemetry cited in the reporting puts the average gap between an initial breach and the next stage of an attack at 22 seconds, down from eight hours. Against that cadence, a 23-minute window is hundreds of automated actions, not a rounding error.
What builders should change
For anyone shipping on the Gemini API, the takeaway is to stop treating API-key revocation as a hard stop. Favor service accounts or short-lived tokens over long-lived keys for production Gemini traffic, scope keys narrowly, and keep monitoring a revoked key's usage rather than assuming deletion ends the exposure. More broadly, the episode underscores that the security primitives underpinning AI deployments — auth, key lifecycle, and revocation guarantees — are being stress-tested in production by every vendor at once, Google included.
