Google API keys remain valid for up to 23 minutes after deletion due to eventual consistency in Google's infrastructure, despite the GCP console claiming immediate revocation. Testing across 10 trials showed a median revocation window of ~16 minutes and a maximum of ~23 minutes, with regional variation (Asia-Pacific propagated faster than US/Europe). The same delay affects keys scoped to BigQuery, Maps, and Gemini. By contrast, Google Service Account keys revoke in ~5 seconds and newer Gemini API keys (AQ. prefix) in ~1 minute. Google closed the vulnerability report as 'won't fix,' citing eventual consistency as a known system property. The practical risk: an attacker holding a leaked key can continue making authenticated requests during the window, including dumping Gemini-uploaded files and cached conversations. Recommended mitigations include treating key deletion as a 30-minute operation and monitoring GCP API traffic during that window.
Table of contents
Authentication should not be eventually consistentMeasuring the revocation windowDisclosing to GoogleBroken User ExpectationsWorking around the windowSort: