Google API Keys Still Work After Deletion

If your security protocol includes deleting Google API keys to block access to cloud applications or third-party applications, get ready for some startling news: Those deleted credentials don’t stop working immediately, creating a significant security gap that cybercriminals could exploit.

“Deleted” Doesn’t Mean “Gone”

Most people treat API key deletion as an emergency shutoff switch. They expect that deleting a key after it’s leaked will immediately block access.

However, researchers at Aikido Security recently discovered that after a Google API key is deleted through the Google Cloud Console, it can continue to authenticate successfully for up to 23 minutes.  

The Google API key revocation delay means security teams now have to account for a delay they can’t even measure. If your business relies on fast credential rotation as part of its incident response, this news will likely prompt you to rethink that approach.

Why This Happens and How It Creates Real Security Risks

API keys are a critical element of secure cloud services. They’re used for a variety of purposes, such as connecting applications or accessing data.

That’s why learning that Google API keys still work after deletion is such a problem. IT may believe the security risk of orphaned credentials is contained even when the credential remains partially active during the most sensitive period of incident response.

The issue appears tied to authentication cache propagation and distributed cloud infrastructure. In massive cloud environments, changes don’t always ripple through instantly. Some systems recognize the deletion right away, while others lag. API key invalidation latency and Google’s distributed architecture mean some nodes continue to honor the key while others have already marked it invalid.

Worse, there’s not much administrators can do about it, and there’s no confirmation from Google indicating when the authentication window has actually closed. That uncertainty is the real problem and makes cloud API key lifecycle management significantly harder. If a key is compromised and then deleted, 23 minutes is a long time for hackers to cause trouble.

How Can You Address the Threat?

While Google hasn’t announced a fix, you can reduce the risk of deleted Google API keys remaining active by:

• Rotating keys proactively. Regular rotation reduces the key value, so don’t wait for a breach to trigger it.
• Restricting key permissions aggressively. The more tightly scoped a key is, the less damage it can do.
• Monitoring API usage in real time. Unexpected usage after a deletion event should prompt an immediate alert and deeper investigation.
• Assuming the window exists. Build incident response playbooks that account for the possibility that a deleted key may remain active for up to 23 minutes.

The Bigger Picture for Cloud Security

Twenty-three minutes may not sound long, but in cybersecurity, it’s an eternity. The fact that Google API keys still work at all after deletion is a reminder that cloud security controls don’t always behave the way you think. A green checkmark or a successful deletion confirmation isn’t the same as immediate enforcement.

Until Google issues a fix, treat API key revocation as a time-consuming process and plan your security response accordingly.