A €54k Gemini Bill Turns HN Back to Browser Keys and Hard Caps

The HN thread around a Google AI Developers Forum post hit a nerve because it was not an exotic security story. A developer said that after enabling Firebase AI Logic on an existing Firebase project, automated traffic generated Gemini API usage that ended as a €54,000+ charge. The project had an €80 budget alert and a cost anomaly alert, but the poster said those arrived hours late; by the time the team reacted, the cost view already showed around €28,000.

The community response focused less on blame and more on the shape of the trap. Browser-visible keys were long treated by parts of the Google ecosystem as identifiers that could be restricted rather than classic secrets. LLM APIs change that risk profile because a single generate endpoint can convert automated abuse into a large bill quickly. HN commenters connected the incident to public repositories containing Gemini-looking keys, older Firebase habits, and the difficulty of explaining to small teams that budget alerts are not spending caps.

Google staff replied in the forum thread with newer safeguards: Gemini API billing account caps, project spend caps, and a documented reporting delay of about 10 minutes. The same reply pointed users toward moving calls server-side, applying restrictions, and setting explicit caps. That context matters, but it did not erase the HN complaint: if billing data is delayed and the service can keep accepting requests during the delay, a budget alert can become a notification after the damage is already large.

The useful takeaway is operational. Any Gemini, Firebase AI Logic, or similar client-facing AI feature should start with server-side mediation, API restrictions, quotas, and spend caps before launch traffic arrives. Community discussion noted that cloud billing systems often optimize for metering at scale, while individual developers need a reliable emergency brake.