Google API Keys Remain Active After Deletion TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadCybersecurity OperationsInterpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle EastInterpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle EastbyRobert LemosMay 20, 20264 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryIdentity & Access Management SecurityCyber RiskСloud SecurityThreat IntelligenceNewsGoogle API Keys Remain Active After DeletionA security researcher discovered the API keys can still be used for 23 minutes after deletion, even though the cloud provider claims deletion is immediate.Rob Wright,Senior News Director,Dark ReadingMay 21, 20264 Min ReadSource: Sandwish via Alamy Stock PhotoGoogle API keys aren't completely inactive after users delete them, giving attackers a small but significant window to continue abusing them.Joe Leon, researcher at Belgian startup Aikido Security, recently analyzed the revocation window — the time between a key's deletion and its last successful authentication — for the cloud giant's API keys. In a blog post published today, Leon said Google Cloud Platform (GCP) customers expect API access to end immediately after the key is deleted, but this is not the case.In a series of tests, Leon found that the median revocation window was around 16 minutes, while the longest window weas up to 23 minutes, "an incredibly long time" for API keys to continue authenticating successfully, he said. And these windows have serious repercussions for organizations. "An attacker holding your deleted key can keep sending requests until one reaches a server that has not caught up. If Gemini is enabled on the project, they can dump files you have uploaded and exfiltrate cached conversations," Leon said. "The GCP console will not show the key, and it will not tell you the key is still working. You are trusting Google's infrastructure to eventually catch up."Related:AI Agents Are Shifting Identity Security Budget DynamicsGoogle API Key Revocation Windows VaryLeon tells Dark Reading he was inspired to examine the revocation windows for GCP after Eduard Agavriloae, co-founder of Offensai, published research late last year on revocation delays in AWS credentials. But as Leon noted in his blog post, those delays were just four seconds, and AWS responded to the issue."Four seconds was enough to matter on AWS," he wrote.The revocation windows for Google's API keys were, by comparison, exponentially longer. Aikido's research team ran 10 tests over two days where they created virtual machines (VMs) in different GCP regions, deleted the API keys, and sent up to five authenticated requests per second to see how long the keys worked after the deletion.The test results were "highly unpredictable," as one trial had a 79% authentication success rate after one minute, while another test had just a 5% success rate. Additionally, Aikido's research team found success rates were significantly different based on the VM's region.For example, according to the test results, VMs in GCP's asia-southeast1 had a median request authentication success rate of just 22% after one minute, while the success rates of us-east1 and europe-west1 regions were about 49%. Leon noted that VMs farther away from the US picked up deletion requests faster, which "is the opposite of what you'd expect," though it's unclear why.Related:Oracle Red Bull Racing Team Revs Up Automation to Boost Security"Google's request routing is more complex than 'VM region equals server region'" and a VM in Singapore isn't necessarily talking to servers in Singapore," Leon wrote. "But the pattern was consistent across trials, which points to something about regional infrastructure, caching, or routing affinity driving the difference."Whatever the cause, Leon says the regional differences are "entirely driven by where the researcher (or attacker) originated their requests," and are independent of the customer's geographic location. API Key Deletion Delays Complicate Incident ResponseAikido's report stated that GCP's user interface (UI) for key deletions states, "Once deleted, it can no longer be used to make API requests." Leon wrote that the UI is demonstrably false and leaves customers in the dark about when an API key is fully revoked.Leon tells Dark Reading the revocation windows for Google's API keys, as well as the unpredictable authentication success rates, complicate matters for incident response teams that are dealing with a potential breach."This breaks the mental model IR teams have when responding to leaked credentials," he says. "It's assumed that when you click 'Delete' or 'Revoke' that the credential no longer works. Now IR teams need to remember that for GCP credentials, a window exists when that 'Deleted' credential still works for attackers."Related:Your Next Breach Will Look Like Business as UsualTo that end, Aikido recommended that security teams and IR personnel use a 30-minute window for Google API key deletions. Additionally, organizations should monitor their API requests by credential through the "Enabled APIs and services" portion of the GCP console, and review API requests by credential. "If you see unexpected usage from that credential after deletion, someone could be actively exploiting it," Leon wrote.Aikido reported the findings to Google, but the company closed the report as "won't fix," according to the blog post. Dark Reading contacted Google for comment on the research, but the company did not respond at press time.Leon noted that Google has faster revocations for other types of credentials, as service account deletions propagate across the platform in about five seconds and Gemini's newer API key format is fully revoked in approximately one minute. This suggests that it's "technically solvable" to reduce the revocation windows for Google API keys."Distributed systems at Google's scale are hard, and this is not a critique of the GCP IAM team," Leon wrote. "But a 23-minute revocation window is fundamentally at odds with what users expect from a delete button."About the AuthorRob WrightSenior News Director, Dark ReadingRob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob WrightWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsBuilding SecOps That Make the Most of Every DollarAI-Powered Credential Security: Intelligence Without ExposureAI-Powered Cybersecurity for Resource-Constrained OrganizationsHow Security Teams should apply Threat Intelligence into their DefensesYour Guide to Securing AI Adoption in Your OrganizationMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsDefending in the Shadow Era: When the CVE Feed Goes DarkTues, June 16, 2026 at 1pm ESTBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTAI-Powered Cybersecurity for Resource-Constrained OrganizationsThurs, June 18, 2026, at 1pm ESTHow Security Teams should apply Threat Intelligence into their DefensesThurs, June 11, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

A security researcher discovered that Google Cloud Platform (GCP) API keys remain functionally active for a significant period following their deletion, contrary to the immediate revocation claims made by the cloud provider. This finding highlights a critical vulnerability where an attacker can exploit a window—the revocation time—to continue abusing previously deleted credentials. Joe Leon, a researcher at Aikido Security, analyzed this revocation window, determining that for Google API keys, the median time between deletion and the key ceasing to authenticate was approximately sixteen minutes, with the longest observed window reaching twenty-three minutes. This persistence creates a substantial vulnerability, allowing an attacker possessing a deleted key to continue sending authenticated requests until the underlying infrastructure fully updates, which poses severe risks for data exfiltration, such as dumping files or extracting cached conversations if services like Gemini are enabled on the associated project.

The discrepancy between the user experience and the technical reality of key deletion complicates incident response efforts. While the GCP user interface indicates that a deleted key cannot be used for API requests, this interface information is demonstrably false, leaving users operating under a false security assumption. This gap fundamentally breaks the established mental model for incident response teams, which typically operate on the assumption that a revoked credential is immediately unusable. Consequently, teams must account for the fact that an attacker may still be actively exploiting a credential during this extended window.

Aikido Security's research further explored the unpredictability of these delays by testing revocation windows across different regional infrastructure, specifically Virtual Machines hosted in various GCP regions. The results were highly variable, with authentication success rates differing significantly based on the region in which the testing VMs were located; for example, success rates varied between regions like asia-southeast1 and us-east1, which was attributed to differences in regional infrastructure, caching, or routing affinity rather than a uniform system delay. This regional variation suggests that the rate at which deletion requests are processed is influenced by the localized infrastructure patterns, irrespective of the customer's geographic location.

In light of these findings, Aikido recommended specific measures for mitigating the risk. They advised that security teams and incident response personnel should assume a conservative thirty-minute window when managing Google API key deletions. Furthermore, continuous monitoring is essential; organizations should actively review API requests by credential through the "Enabled APIs and services" section of the GCP console to detect any unexpected usage following a deletion. While Google did not publicly respond to the specific research, the findings suggest that the current revocation mechanism, while technically solvable, is at odds with user expectations regarding credential lifecycle management in distributed systems. It is worth noting that Google has implemented faster revocation processes for certain credential types, such as service account deletions, which propagate across the platform in approximately five seconds, and the newer Gemini API key format is revoked in about one minute, indicating that the technical feasibility of reducing the revocation window is achievable.