Dark ReadingArchived May 22, 2026✓ Full text saved
A security researcher discovered the API keys can still be used for 23 minutes after deletion, even though the cloud provider claims deletion is immediate.
Full text archived locally
✦ AI Summary· Claude Sonnet
IDENTITY & ACCESS MANAGEMENT SECURITY
CYBER RISK
СLOUD SECURITY
THREAT INTELLIGENCE
NEWS
Google API Keys Remain Active After Deletion
A security researcher discovered the API keys can still be used for 23 minutes after deletion, even though the cloud provider claims deletion is immediate.
Rob Wright,Senior News Director,Dark Reading
May 21, 2026
4 Min Read
SOURCE: SANDWISH VIA ALAMY STOCK PHOTO
Google API keys aren't completely inactive after users delete them, giving attackers a small but significant window to continue abusing them.
Joe Leon, researcher at Belgian startup Aikido Security, recently analyzed the revocation window — the time between a key's deletion and its last successful authentication — for the cloud giant's API keys. In a blog post published today, Leon said Google Cloud Platform (GCP) customers expect API access to end immediately after the key is deleted, but this is not the case.
In a series of tests, Leon found that the median revocation window was around 16 minutes, while the longest window weas up to 23 minutes, "an incredibly long time" for API keys to continue authenticating successfully, he said.
And these windows have serious repercussions for organizations. "An attacker holding your deleted key can keep sending requests until one reaches a server that has not caught up. If Gemini is enabled on the project, they can dump files you have uploaded and exfiltrate cached conversations," Leon said. "The GCP console will not show the key, and it will not tell you the key is still working. You are trusting Google's infrastructure to eventually catch up."
Related:AI Agents Are Shifting Identity Security Budget Dynamics
Google API Key Revocation Windows Vary
Leon tells Dark Reading he was inspired to examine the revocation windows for GCP after Eduard Agavriloae, co-founder of Offensai, published research late last year on revocation delays in AWS credentials. But as Leon noted in his blog post, those delays were just four seconds, and AWS responded to the issue.
"Four seconds was enough to matter on AWS," he wrote.
The revocation windows for Google's API keys were, by comparison, exponentially longer. Aikido's research team ran 10 tests over two days where they created virtual machines (VMs) in different GCP regions, deleted the API keys, and sent up to five authenticated requests per second to see how long the keys worked after the deletion.
The test results were "highly unpredictable," as one trial had a 79% authentication success rate after one minute, while another test had just a 5% success rate. Additionally, Aikido's research team found success rates were significantly different based on the VM's region.
For example, according to the test results, VMs in GCP's asia-southeast1 had a median request authentication success rate of just 22% after one minute, while the success rates of us-east1 and europe-west1 regions were about 49%. Leon noted that VMs farther away from the US picked up deletion requests faster, which "is the opposite of what you'd expect," though it's unclear why.
Related:Oracle Red Bull Racing Team Revs Up Automation to Boost Security
"Google's request routing is more complex than 'VM region equals server region'" and a VM in Singapore isn't necessarily talking to servers in Singapore," Leon wrote. "But the pattern was consistent across trials, which points to something about regional infrastructure, caching, or routing affinity driving the difference."
Whatever the cause, Leon says the regional differences are "entirely driven by where the researcher (or attacker) originated their requests," and are independent of the customer's geographic location.
API Key Deletion Delays Complicate Incident Response
Aikido's report stated that GCP's user interface (UI) for key deletions states, "Once deleted, it can no longer be used to make API requests." Leon wrote that the UI is demonstrably false and leaves customers in the dark about when an API key is fully revoked.
Leon tells Dark Reading the revocation windows for Google's API keys, as well as the unpredictable authentication success rates, complicate matters for incident response teams that are dealing with a potential breach.
"This breaks the mental model IR teams have when responding to leaked credentials," he says. "It's assumed that when you click 'Delete' or 'Revoke' that the credential no longer works. Now IR teams need to remember that for GCP credentials, a window exists when that 'Deleted' credential still works for attackers."
Related:Your Next Breach Will Look Like Business as Usual
To that end, Aikido recommended that security teams and IR personnel use a 30-minute window for Google API key deletions. Additionally, organizations should monitor their API requests by credential through the "Enabled APIs and services" portion of the GCP console, and review API requests by credential. "If you see unexpected usage from that credential after deletion, someone could be actively exploiting it," Leon wrote.
Aikido reported the findings to Google, but the company closed the report as "won't fix," according to the blog post. Dark Reading contacted Google for comment on the research, but the company did not respond at press time.
Leon noted that Google has faster revocations for other types of credentials, as service account deletions propagate across the platform in about five seconds and Gemini's newer API key format is fully revoked in approximately one minute. This suggests that it's "technically solvable" to reduce the revocation windows for Google API keys.
"Distributed systems at Google's scale are hard, and this is not a critique of the GCP IAM team," Leon wrote. "But a 23-minute revocation window is fundamentally at odds with what users expect from a delete button."
About the Author
Rob Wright
Senior News Director, Dark Reading
Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management
Access More Research
Webinars
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
AI-Powered Credential Security: Intelligence Without Exposure
AI-Powered Cybersecurity for Resource-Constrained Organizations
How Security Teams should apply Threat Intelligence into their Defenses
More Webinars
You May Also Like
IDENTITY & ACCESS MANAGEMENT SECURITY
Delinea's StrongDM Deal Sign of How PAM Has Changed
by Jeffrey Schwartz
MAR 12, 2026
IDENTITY & ACCESS MANAGEMENT SECURITY
Orgs Move to SSO, Passkeys to Solve Bad Password Habits
by Nate Nelson, Contributing Writer
NOV 13, 2025
IDENTITY & ACCESS MANAGEMENT SECURITY
1Password Addresses Critical AI Browser Agent Security Gap
by Arielle Waldman
OCT 10, 2025
IDENTITY & ACCESS MANAGEMENT SECURITY
NIST Digital Identity Guidelines Evolve With Threat Landscape
by Arielle Waldman
AUG 14, 2025
Editor's Choice
THREAT INTELLIGENCE
From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber
byDark Reading Editorial Team
MAY 6, 2026
31 MIN READ
CYBER RISK
Physical Cargo Theft Gets a Boost From Cybercriminals
byRobert Lemos
MAY 4, 2026
5 MIN READ
CYBER RISK
NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later
byDark Reading Editorial Team
APR 28, 2026
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
LOADING...
RSAC 2026: key news & insights
At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more
Get Your Recap
Webinars
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
AI-Powered Credential Security: Intelligence Without Exposure
WED, JUNE 17, 2026, AT 1PM EST
AI-Powered Cybersecurity for Resource-Constrained Organizations
THURS, JUNE 18, 2026, AT 1PM EST
How Security Teams should apply Threat Intelligence into their Defenses
THURS, JUNE 11, 2026 AT 1PM EST
Your Guide to Securing AI Adoption in Your Organization
TUES, JUNE 9, 2026 AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS