Deleted Google API keys keep working for up to 23 minutes, researchers warn

Aikido Security found that deleted Google API keys can still authenticate for a median of ~16 minutes (up to 23 minutes) due to eventual consistency in Google Cloud, meaning key deletion is not immediately effective; this affects keys for Gemini and other GCP APIs. Researchers note misleading UI messaging and lack of a way to confirm revocation; faster revocation is possible for other key types, but Google currently treats the delay as expected, so users should monitor API usage and assume a ~30-minute window before deletion is fully effective.