alt Hacker NewsThe key didn’t change. What changed is what it can do.
What used to be a simple project identifier can now trigger expensive API calls once Gemini is enabled.
Since nothing in the old code changes, there’s no obvious moment where someone stops and re-evaluates the risk.
The new code changes from not existing, to existing.
Indeed, the key doesn't change. The new capability comes from the new code.
It would not be a re-evaluation of risk, because this is a new project. The evaluation of risk is supposed to come at the moment when the new capability is implemented, and consciously tied to an existing key type, which was previously advertised as non-secret.