Unrestricted Firebase Browser Key Leads to €54K Gemini API Billing Spike in 13 Hours

Summary

A developer reported on the Google AI Developers Forum that enabling Firebase AI Logic on an existing Firebase project resulted in an unexpected €54,000+ Gemini API charge accumulated in just 13 hours. The root cause appears to be an unrestricted Firebase browser API key that was exposed client-side, allowing unauthorized third parties to make Gemini API requests against the project's billing account without any API restrictions in place. This incident highlights a critical and growing risk in