Google “Won’t Fix” API key staying active for 23 mins after deletion

Deleted Google API keys remain valid for up to 23 minutes after revocation, potentially allowing attackers to continue accessing Google Cloud services and Gemini data long after the credentials have been disabled.

Google acknowledged the behavior following a report by Aikido, but closed the report as “won’t fix,” describing the propagation delay as an expected property of the system.

Aikido examined how Google Cloud Platform (GCP) handles API key revocation across its distributed infrastructure, and found that deleting an API key from the Google Cloud console does not immediately invalidate it globally. Instead, revocation propagates gradually across authentication servers, creating a window during which some systems still accept the supposedly deleted credential.

To measure the revocation delay, the author of the report conducted 10 separate experiments over two days. In each trial, a newly created API key was deleted, after which the researchers continuously sent authenticated requests at a rate of three to five requests per second until all responses consistently failed. The tests were designed to probe different authentication servers and routing paths within Google’s global infrastructure.

The results showed significant inconsistencies. The shortest observed revocation window lasted nearly eight minutes, while the longest extended to almost 23 minutes. The median delay was roughly 16 minutes. Even after deletion, many requests continued to succeed unpredictably, indicating that some backend systems had not yet synchronized the revocation state.

According to the researchers, this behavior creates a dangerous opportunity for attackers who have stolen exposed API keys. If a compromised credential grants access to Gemini APIs, threat actors could potentially retrieve uploaded files, cached prompts, and conversations during the revocation window.

The issue affects traditional Google API keys broadly rather than any specific service. Aikido observed the same delayed revocation behavior with keys tied to BigQuery, Google Maps Platform, and Gemini APIs. However, the company noted that newer Google credential systems revoke access much faster. Gemini’s newer “AQ.”-prefixed API keys stopped working in about one minute during testing, while Google Service Account keys invalidated in approximately five seconds.

Aikido additionally tested revocation behavior across multiple Google Cloud regions using virtual machines hosted in us-east1, europe-west1, and asia-southeast1. The researchers found major regional inconsistencies in how quickly revocation propagated. Surprisingly, systems in Asia often rejected deleted keys faster than US-based infrastructure, despite the keys being created and deleted from the United States.

The researchers also criticized Google’s API key deletion interface, which tells users that deleted keys “can no longer be used to make API requests” immediately after removal. Aikido says that statement is misleading because users have no visibility into whether the key remains active elsewhere in Google’s infrastructure and no mechanism to force faster invalidation.

Google reportedly told the researchers that the delay is a known aspect of the platform’s architecture and does not constitute a security vulnerability. While Google documents eventual consistency behavior for some IAM components, Aikido notes that the company does not explicitly warn users about delayed revocation for standard API keys.