Google api keys stay active after deletion, security research shows

Deleted Google API keys remain active for an unspecified period, allowing continued access to cloud resources despite removal attempts [aikido.dev]. Security researchers at aikido.dev demonstrated the flaw by deleting keys and successfully using them afterward, proving a real exploitation window exists. Google does not disclose the exact duration keys stay active post-deletion, leaving engineers unable to accurately assess exposure [aikido.dev].

The delay is likely due to caching or propagation lag across Google’s infrastructure, but the lack of transparency prevents teams from timing revocations effectively. This is especially dangerous during incident response, when immediate key deactivation is critical. Organizations using Google Cloud Platform for services like Maps, AI APIs, or storage may face unauthorized access if attackers recover recently deleted keys from logs, client-side code, or memory dumps.

Google’s documentation does not warn developers about this delay, creating a false sense of security after key deletion. While API keys are meant for low-risk access control, many teams use them in high-privilege contexts—increasing the impact of misuse.

Why it matters:

• Attackers can exploit the gap between deletion and deactivation to maintain access, even after revocation. • Incident response protocols that assume immediate key invalidation are compromised. • Google’s silence on the timeline prevents accurate risk modeling for cloud security teams.