Google Reverses Gemini API Bills, Adds Spend Caps

Google has reversed charges and reimbursed at least two developers who suffered runaway bills after unauthorized calls to its Gemini API, the company and affected users confirmed in recent reporting.

The incidents stemmed from exposed or compromised API keys that attackers used to make large numbers of model requests, generating thousands of dollars in inference costs in hours or days. Security researchers and multiple developer reports have traced the problem to legacy keys and public client configurations.

One developer reported a billing spike from a few hundred dollars to roughly $17,000 in minutes after an attacker exploited a key; another posted that a stolen key produced more than $82,000 in charges over 48 hours.

Some of the cost growth was amplified by Google’s automated billing tiers, which can raise a project’s spend ceiling when usage appears to qualify for a higher tier, a behavior that developers said surprised them. Google has described those tiered growth rules as automated scaling for customers that meet certain payment and usage thresholds.

In response to the wave of complaints, Google said it is rolling out and tightening billing controls for Gemini, including project-level spend caps and new prepaid billing options that let teams limit exposure by pausing API requests when a cap is reached. Those controls were announced in recent Google developer updates in March and April 2026.

The practical effect of the new controls is that developers can set a hard monthly limit inside Google AI Studio or prepay API credits so that requests stop when the budget is exhausted, rather than allowing charges to continue to post to a card or billing account. Early documentation and third‑party guides describe both prepay and postpay models being made available.

Researchers who scanned public code and websites found thousands of live Google API keys that were originally intended for services like Maps or Firebase but now also authenticate to Gemini, widening the attack surface for credential abuse. That unexpected elevation of legacy keys has been central to why otherwise compliant apps were affected.

Developers and security experts stressed that billing controls alone do not remove the root cause: publicly discoverable credentials and client-side keys. Best-practice mitigations include moving AI calls behind server endpoints, applying strict key restrictions, rotating keys, and enforcing App Check or similar protections.

The incidents also highlighted a billing-latency problem: revoking a compromised key can stop further requests, but reporting and billing windows mean charges can be calculated and posted before a developer can react, leaving teams facing large, already‑completed invoices. Several affected users recounted shutting down keys within minutes yet still seeing massive charges.

For many small teams and solo developers, those surprise bills risk more than headaches — they can threaten business continuity. That reality pushed calls inside the developer community for providers to add mandatory, enforceable spend limits on public model endpoints and clearer dispute processes for security-related billing fraud.

Google’s refunds and new billing tools are a partial response, but some developers say policy questions remain open: who bears responsibility when a legacy key becomes an entry point to paid AI services, and how quickly should cloud providers detect and pause anomalous usage automatically. Those debates are now informing product changes and forum guidance.

Google said it reversed some bills and reimbursed victims while continuing to roll out spend caps and billing-account controls, though the company has not altered its automated tier‑upgrade policy, according to reporting and company comments. Developers are watching implementation timelines closely to see whether the new safeguards will stop future spikes.