If you use Firebase to store your website you probably will not use most of them. When you create an API key to use with AI Studio, restrict it to only “Gemini API”.
Attention points:
-
By default a new API key is created without restriction.
-
If you search for an API that you want to select but it is missing, this API is probably not enabled in the Google Cloud project that you use. Go to the API Library in your Cloud console, find the API by name and enable it first.
-
You can do all actions using the Cloud console or gcloud CLI. Other interfaces (e.g. Firebase) may not provide you with access to all parameters of the API keys
Application Restrictions
Similar to API restrictions that limit what services your key can be used for, Application Restrictions limit the applications which can use the key. For example, if you create an API key only for use with Google AI Studio, setting up the application restrictions to the website “https://aistudio.google.com/” will prevent using your key by automations that utilize Gemini and consume a high volume of tokens at scale.
You can set up one or more restrictions of one of the following types:
-
Website/Web application using the list of URLs
-
Services using the list of IPv4 or IPv6 address or a subnet masks
-
iOS applications using the list of Bundle IDs
-
Android applications using the list of pairs of the package name and certificate fingerprint
Note that you can restrict the key to a single application type only. Create a designated API key for each application type. Having a key per application type helps when observing the key usage and investigating potentially compromised keys.
Step 2: Store API key
I want to reiterate that the API key is not paired with your identity. ANYONE can use it. So, storing the key securely is as important as restricting the key use in Step 1.
The rule is simple: NEVER EVER store the key where it can be easily seen.
If you use an API key in your application, store it in Secret Manager or a similar secret management service. Secret Manager allows you to inject your API key into Cloud Run and GKE environments easily. However, to elevate the key protection you may want to read the key in your code instead. See documentation for an example.
If you use an API key with an external application that asks you to type in the key, take extra steps to explore how the application manages your key. You would need to find out how the key is stored and how it is used in the requests. For Web applications, you may use browser developer tools to inspect application traffic and ensure that the key is never sent in an unencrypted communication channel. For example, Google AI Studio uses encrypted local storage and sends the key via a TLS-encrypted channel.
When Something Goes Wrong
What to do if you suspect that your key is compromised? The straightforward action is the same as with a credit card. First thing ‒ delete the key. You can do it in the Cloud console or using gcloud services api-keys delete command. If you find out that it was a false alarm, you can undelete during the next 30 days.
What if you do not know which key is compromised? In that case you need to do a two-step investigation:
-
Find out all API keys in your organization or project(s)
-
Check the graph of API consumption for APIs this key allowing to access
Find out all your API keys
There is more than one way to find your API key resources. You can use Asset Inventory in the Cloud console and filter the dashboard by the Resource type to check apikeys.Key. If you do not see this resource type, find and click on “View more…” to expand the resource type list. Note that the list shows deleted API keys as well.
If you favor CLI, and you know specific project(s) you can use the gcloud services api-keys list command.
To see all active keys in your organization, you will need to use the gcloud asset search-all-resources command and query its JSON output to filter out deleted keys:
