Title: AQ. API key returns 401 "Expected OAuth 2 access token" (ACCESS_TOKEN_TYPE_UNSUPPORTED)
on a fully-configured project — Generative Language API enabled, key restricted, billing on.
Summary
-------
Every API key on my account (all AQ. prefix, since AI Studio no longer issues AIza keys) returns
401 UNAUTHENTICATED / ACCESS_TOKEN_TYPE_UNSUPPORTED when calling the Gemini API
(generativelanguage.googleapis.com), for BOTH generateContent and files.upload. This persists after
applying every documented remediation. I believe my project/account is caught in the AQ-key rollout
that is breaking the Generative Language API endpoint for some accounts.
Account / project
-----------------
- Account: m...@gmail.com (AI Studio plan "Pro")
- Project "Mirage": ID gen-lang-client-0867379..., number 30409593...
- Project "AI Avatar and Scene Generation": ID gen-lang-client-043153...
- Key: gemini-mirage-key, key ID f95ecb07-19b3-4f18-898b-.....(last-4 ...GCeQ)
- Bound service account: ais-gemini-key-
- Additional keys tested: ...WFhw (project gen-lang-client-04315.....1), ...sB6g — all 401.
Configuration verified CORRECT (so the usual fixes don't apply)
---------------------------------------------------------------
- Generative Language API ("Gemini API", generativelanguage.googleapis.com): ENABLED on the project.
- Key API restriction: already restricted to "Gemini API".
- Key is bound to the service account above.
- Billing: enabled (Tier 1 · Prepay).
Exact error (verbatim)
----------------------
HTTP 401 UNAUTHENTICATED
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login
cookie or other valid authentication credential. See
https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [{"@type":"type.googleapis.com/google.rpc.ErrorInfo",
"reason":"ACCESS_TOKEN_TYPE_UNSUPPORTED",
"metadata":{"service":"generativelanguage.googleapis.com",
"method":"google.ai.generativelanguage.v1beta.FileService.CreateFile"}}]
}
}
(Identical for generateContent.)
Environment
-----------
- macOS; Python 3.9 and 3.14.
- google-genai SDK v2.10.0 (latest; upgrading changed nothing).
- No Vertex/OAuth env vars set (GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_APPLICATION_CREDENTIALS,
GOOGLE_CLOUD_PROJECT, GOOGLE_API_KEY all UNSET).
Everything I tried — all return the identical 401
--------------------------------------------------
1. SDK genai.Client(api_key=KEY) -> models.generate_content (text only) -> 401
2. SDK client.files.upload(...) -> 401
3. Raw REST POST .../v1beta/models/gemini-2.5-pro:generateContent
header "x-goog-api-key: KEY" (documented header) -> 401
4. Raw REST with "?key=KEY" query param -> 401
5. Raw REST with "Authorization: Bearer KEY" -> 401
6. Same on the v1 endpoint (not v1beta) -> 401
7. Three different keys across two projects -> all 401
8. Upgraded SDK to latest -> no change
So the rejection is server-side and independent of SDK, header style, endpoint version, and key/project.
What I need
-----------
Please un-flag / fix my project(s) so AQ. keys authenticate against generativelanguage.googleapis.com,
OR tell me the exact working auth method for an AQ. key bound to a service account. Happy to provide any
console value or screenshot. Thank you.