Unexpected Gemini API usage — How to trace calls (IP address)? New API key used without ever being deployed

Gemini API
,
1

Hi everyone,

I’m facing a serious issue regarding unexpected usage of the Gemini API, and I need clarification on what data is (or isn’t) available to developers in order to investigate.

Context

I switched my project to a paid Gemini plan on November 27th.
However, within just 3 days, including a weekend when nobody was working, my API key generated more than 900 requests per day.

After investigating the dashboard and metrics, it looks like my API key was being used by someone else since early October — but I didn’t notice it because the free-tier limits were capping the usage. When I upgraded to a paid plan, those limits disappeared, and the unauthorized usage suddenly exploded.

My questions

1. Is it possible to know from which IP address an API call to Gemini was made?

I checked Cloud Monitoring, Audit Logs, and the API Metrics tab.
None of them show the origin IP, the requester, or any identifying information.
Is there any way for developers to see where the calls came from?

This information is critical to understand how the key was compromised.

2. Why did a brand-new API key get 51 calls immediately after being created, even though it was never used or deployed?

I created a fresh API key (and did not publish or use it anywhere), yet it already shows 51 calls within 4 hours.
This is extremely concerning and makes me wonder:

  • Is this expected internal testing from Google?

  • Could this indicate that my project or workspace is compromised?

  • Are there automated probes or scans on newly created keys?

I found no documentation about this behavior.

What I have done so far

  • Restricted the original key to a specific IP → result: all unauthorized usage stopped immediately, confirming the key was likely stolen.

  • Restricted the new key as well once I saw those unexpected 51 calls.

  • Checked the dashboards, but they only show model name + request count, nothing about the requester (IP, origin service, etc.).

What I need to understand

  • Is it possible for me to trace the origin IP of API calls made with my key?

  • Is the immediate “51 requests” on a newly created key expected behavior?

  • If not, what could explain this?

  • Is there any additional logging or diagnostic tool available to paid users?

Right now, I have no way to identify how the key was obtained or by whom, and I want to make sure there is not a deeper security issue.

Any guidance or clarification from the Google team/users would be greatly appreciated.

Thank you!

1 Like
3

Hii @Pascal_LR
welcome to the AI Forum!!!

It appears that your API key may have been exposed and is currently being used by someone else. You should rotate the key immediately, limit its usage to specific IPs or services, and review your environment for any potential issues. Enforcing strict restrictions on new keys before deploying them can help prevent similar incidents in the future.
If you have any concern related to IP Problem, please reach out to Report IP problems - Google Search Help

5

I had similar issues and now I’m looking at a bill of $6,909 for calls to GenerativeLanguage.GenerateContent over about a month, none of which I made. I had quickly created an API key during a live Google training session. I never shared it with anyone and it’s not pushed to any public (or private) repo or website. Whomever got a hold of it made over a billion requests, 99% of which returned 429 errors. 429s are not supposed to be billed, so the $6k+ is a result of the 1% of calls which succeeded.

Screenshot 2025-12-23 225357

I opened a support case and they said:

Generally, any usage on an account that was not caused by a direct error on Google’s side is technically considered “valid usage” even if the activity was unintended by you. A specialized team has raised a consultation with the Product Team. They are currently conducting a deeper investigation to clarify the specific usage details and ensure our findings are completely accurate. I have explicitly requested them to check if we can retrieve request headers or originating IP addresses that could help you identify how the key was being utilizedOur specialized team investigation concluded that no leaked API keys were detected in your project…*The key was not found in public repositories (a standard “leak” check), but they did not provide specific details on the methodology used to reach that conclusion. I understand that this lack of detail is frustrating and leaves your questions about the validity of the traffic unanswered.
*
I can no longer trust Google APIs. I made the mistake during a live training session to not properly restrict the API key, and didn’t catch the high usage in the cloud console until it added up to thousands. Even after I disabled the API another $2k+ registered. It was just for a quick test and never used it again personally.