Developer hit with €54k bill after Firebase key used for Gemini API abuse

A developer reported a €54,000 billing spike over 13 hours after their unrestricted Firebase browser key was used to access Gemini APIs. The incident highlights a shift in Google's API security model. For over a decade, Google told developers that API keys for services like Maps and Firebase weren't secrets and could be safely embedded in client-side code. With Gemini's introduction, that guidance no longer holds. The keys can now access expensive generative AI endpoints, turning what was once a low-risk practice into a potential financial disaster. The case underscores the need for developers to audit existing projects and apply strict API restrictions, especially when legacy keys suddenly gain access to costly new services.