top | item 47163514

(no title)

> This makes sense. These keys were designed as project identifiers for billing, and can be further restricted with (bypassable) controls like HTTP referer allow-listing. They were not designed as authentication credentials.

Can't you just run up a huge bill for a developer by spamming requests with their key? I don't see how this wasn't always an issue?

discuss

michaelt|4 days ago

Keys could have certain restrictions [1] such as HTTP Referer, which meant you couldn't just embed a map on your website and charge a different website for the views.

Not perfect protection of course - an attacker could spam requests with all the right headers if they wanted to - but it removes one of the big motivations for copying someone else's API key.

[1] https://docs.cloud.google.com/api-keys/docs/add-restrictions...

voidUpdate|4 days ago

I was thinking more maliciously targeting the developer and running up a huge bill than reusing their key for your use

chinathrow|4 days ago

I guess this was an issue all along - but the cost per request is most def way higher for LLM API calls than for e.g. a Maps API call.

joking|4 days ago

with llms maybe you can reuse their api for your own benefit instead of just showing some maps, so the issue is even worse that only cost.