Google API keys have been used for ages on the frontend. For example on Google Maps embeds. Those are not possible without exposing a key to the frontend. They weren't secret, until Gemini arrived.

https://trufflesecurity.com/blog/google-api-keys-werent-secr...

https://medium.com/@ahhyesic/your-google-maps-api-key-now-ha...

https://www.malwarebytes.com/blog/news/2026/02/public-google...

In Firebase world API keys are for identification, not authorisation.

https://firebase.google.com/docs/projects/api-keys

Public by design: API keys for Firebase services only identify your Firebase project and app to those services. Authorization is handled through Google Cloud IAM permissions, Firebase Security Rules, and Firebase App Check.

Google's world. They explicitly tell you that API keys are not secrets.

https://trufflesecurity.com/blog/google-api-keys-werent-secr...

In the frontend world where you have client-side API keys talking directly to 3rd party services from the client. Think things like Google Maps and similar.

Public API keys are a thing. Arguably they are poorly named (it's really more of a client identifier), and modeling them as primarily a key instead of primarily as a non-secret identifier can go very wrong, as evidenced here.