Deleting a Google API key does not result in its immediate deactivation, according to recent research. On average, these keys continue to function for approximately 16 minutes after being removed from the system. This delay creates a temporary but critical security gap where deleted credentials could still be exploited for unauthorized access or automated requests.
Because Google seemingly does not view this revocation lag as a security bug, teams should adjust their operational protocols to account for the delay. Best practices for mitigating risks during this window include:
- Adopting a 30-minute safety buffer before considering a key fully decommissioned.
- Actively monitoring credential usage within the Enabled APIs and services section of the Google Cloud Platform console.
- Rotating keys during low-traffic periods to minimize potential exposure.
