https://discuss.ai.google.dev/t/unexpected-54k-billing-spike-in-13-hours-firebase-browser-key-without-api-restrictions-used-for-gemini-requests/140262
Article
-
Developer hit €54k bill in 13 hours from an unrestricted Firebase browser API key.
-
Budget alerts fired hours late; costs were €28k before team reacted.
-
Firebase browser keys are not secrets by design — but Gemini API treats them as full credentials.
-
Google’s delayed cost aggregation makes real-time spend caps impossible.
Discussion
-
Consensus: Google’s lack of hard spend caps is a deliberate product choice, not an oversight.
-
Fix: restrict API key in Cloud Console to specific APIs + referrers (not on by default).
-
Multiple commenters share similar incidents: $26k, $6.9k losses from same pattern.
-
HN remains the fastest path to Google support — shameful in 2026.
Discuss on HN
