Unexpected Gemini API usage — How to trace calls (IP address)? New API key used without ever being deployed

Pascal_LR · December 2, 2025, 1:50am

Hi everyone,

I’m facing a serious issue regarding unexpected usage of the Gemini API, and I need clarification on what data is (or isn’t) available to developers in order to investigate.

Context

I switched my project to a paid Gemini plan on November 27th.
However, within just 3 days, including a weekend when nobody was working, my API key generated more than 900 requests per day.

After investigating the dashboard and metrics, it looks like my API key was being used by someone else since early October — but I didn’t notice it because the free-tier limits were capping the usage. When I upgraded to a paid plan, those limits disappeared, and the unauthorized usage suddenly exploded.

My questions

1. Is it possible to know from which IP address an API call to Gemini was made?

I checked Cloud Monitoring, Audit Logs, and the API Metrics tab.
None of them show the origin IP, the requester, or any identifying information.
Is there any way for developers to see where the calls came from?

This information is critical to understand how the key was compromised.

2. Why did a brand-new API key get 51 calls immediately after being created, even though it was never used or deployed?

I created a fresh API key (and did not publish or use it anywhere), yet it already shows 51 calls within 4 hours.
This is extremely concerning and makes me wonder:

Is this expected internal testing from Google?
Could this indicate that my project or workspace is compromised?
Are there automated probes or scans on newly created keys?

I found no documentation about this behavior.

What I have done so far

Restricted the original key to a specific IP → result: all unauthorized usage stopped immediately, confirming the key was likely stolen.
Restricted the new key as well once I saw those unexpected 51 calls.
Checked the dashboards, but they only show model name + request count, nothing about the requester (IP, origin service, etc.).

What I need to understand

Is it possible for me to trace the origin IP of API calls made with my key?
Is the immediate “51 requests” on a newly created key expected behavior?
If not, what could explain this?
Is there any additional logging or diagnostic tool available to paid users?

Right now, I have no way to identify how the key was obtained or by whom, and I want to make sure there is not a deeper security issue.

Any guidance or clarification from the Google team/users would be greatly appreciated.

Thank you!

Topic		Replies	Views
URGENT: Huge cost increase of Gemini API Gemini API bug , models , gemini-api , gemini-25	20	1064	September 21, 2025
Incurred unexpected spike in charges for Gemini API services Gemini API api	1	240	August 22, 2025
Sudden increasee of api, using gemini Gemini API api , billing	6	153	September 19, 2025
Free of Charge plan Change to Paid Plan Automatically Gemini API api , getting_started	3	675	September 24, 2024
Gemini CLI and absurd bills Gemini API gemini-api , gemini-cli	10	468	September 17, 2025