[AI Studio] Deployed app build can’t add image assets

Google AI Studio
,
1

Built a visual-novel app in Google AI Studio (App Builder). It works in Preview until I hit image-model quota, so I deployed it to pay for image generations. In the deployed app, adding an image asset fails whereas it works fine in preview mode in AI Studio builder before I hit the quota:UI shows “Asset Generation Failed,” and DevTools says the Files API response is missing X-Goog-Upload-URL. Looks like the deployed app’s proxy isn’t exposing that header to the browser (CORS), so the resumable upload can’t start.

Environment

AI Studio → App Builder (personal project) Billing + API key connected to my Cloud project and ai studio build (free trial credits available) What I’m trying to do

My visual novel eeds a reference image to start (“Upload Lem’s Image”). In Preview it works until quota limits hit. I deployed to keep going, but now the reference image upload fails before image generation of location and character assets even begins.. Questions

Can someone from the AI Studio team please help me with this bug If this is a known issue, is the recommended workaround or prompt i can give ai code assistant so i dot run into this issue again?

image
image1855×829 49.6 KB

3

Your “one-prompt fix” (give this to any AI assistant)

Goal: Make my deployed web app’s Gemini image uploads work outside AI Studio Preview. Fixes must avoid exposing keys and resolve CORS/header issues.

Context: In Preview, uploads work because Studio proxies requests and exposes the resumable header. In production, direct browser→Gemini calls fail (no real key + browser can’t read X-Goog-Upload-URL).

Do one of these (preferably both options offered):

  1. Inline media path (code-only):

  • Remove any client-side use of the Files API or ai.files.upload.

  • Modify all requests that need images to send them as inline_data (base64 + mime type) inside the parts array.

  • Ensure calls include a valid x-goog-api-key (from config/env), but do not embed secrets in client code.

  • Keep image size reasonable; for large or reusable media, provide an alternate server path.

  1. Reverse proxy path (secure, production-friendly):

  • Create a small proxy (Cloudflare Worker/Cloud Run) that forwards /api-proxy/* to https://generativelanguage.googleapis.com.

  • Inject x-goog-api-key from a secret store (never client code).

  • Handle OPTIONS preflight; set Access-Control-Allow-Origin to the app origin; include needed Access-Control-Allow-Headers.

  • On responses, add Access-Control-Expose-Headers to include at least:
    X-Goog-Upload-URL, X-Goog-Upload-Status, X-Goog-Upload-Command, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, Location.

  • Verify in DevTools: the initial POST .../upload/v1beta/files returns 200/201 and shows a visible X-Goog-Upload-URL.

Acceptance tests:

  • Upload works in production with a small image; no “Failed to upload file.”

  • Network tab shows x-goog-api-key present on Gemini requests; CORS preflight passes; X-Goog-Upload-URL visible on the first step, followed by a successful PUT to that URL (if using Files API).

  • No API key appears in client bundles.

Docs to follow:

  • Gemini requires x-goog-api-key and supports inline_data in parts.

  • Browsers require Access-Control-Expose-Headers to read non-simple headers.

  • Store secrets in the platform’s secret manager (e.g., Cloudflare Workers “Variables & Secrets”).