alt Hacker News> This makes sense. These keys were designed as project identifiers for billing, and can be further restricted with (bypassable) controls like HTTP referer allow-listing. They were not designed as authentication credentials.
Can't you just run up a huge bill for a developer by spamming requests with their key? I don't see how this wasn't always an issue?
Replies
chinathrow • today at 8:44 AM
I guess this was an issue all along - but the cost per request is most def way higher for LLM API calls than for e.g. a Maps API call.
➕ show 1 reply
Keys could have certain restrictions [1] such as HTTP Referer, which meant you couldn't just embed a map on your website and charge a different website for the views.
Not perfect protection of course - an attacker could spam requests with all the right headers if they wanted to - but it removes one of the big motivations for copying someone else's API key.
[1] https://docs.cloud.google.com/api-keys/docs/add-restrictions...