1

Hello,

We are looking for guidance regarding an unexpected €54,000+ Gemini API charge that occurred within a few hours after enabling Firebase AI Logic on an existing Firebase project.

Background:

We created the project over a year ago and initially used it only for Firebase Authentication. Recently, we added a simple AI feature (generating a web snippet from a text prompt) and enabled Firebase AI Logic.

What happened:

Shortly after enabling this, we experienced a sudden and extreme spike in Gemini API usage. The traffic was not correlated with our actual users and appeared to be automated. The activity occurred within a short overnight window and stopped once we disabled the API and rotated credentials.

Additional observations:

  • We had a budget alert (€80) and a cost anomaly alert, both of which triggered with a delay of a few hours
  • By the time we reacted, costs were already around €28,000
  • The final amount settled at €54,000+ due to delayed cost reporting

This describes our issue in more detail:

Aftermath:

We worked with Google Cloud support and provided logs and analysis. The charges were classified as valid usage because they originated from our project, and our request for a billing adjustment was ultimately denied.

This usage was clearly anomalous, not user-driven, and does not reflect intended or meaningful consumption of the service.

Questions:

  • Has anyone encountered a similar issue after enabling Firebase AI Logic or Gemini?
  • Are there recommended safeguards beyond App Check, quotas, and moving calls server-side?
  • Is there any escalation path we may have missed for cases like this?

Any guidance or shared experience would be greatly appreciated.

2

(post deleted by author)

Hey @zanbezi ! Sorry to hear about this. A few things:

  1. We have billing account caps rolled out to users of the Gemini API, see: https://ai.google.dev/gemini-api/docs/billing#tier-spend-caps, tier 1 users can spend $250 a month and then are cut off by default (there is a 10 minute delay in all of the reporting)

  2. We now support project spend caps, if you want to set a customer spend cap, you can also do that (I have my account set at $50 so I don’t spend too much accidenlty when building, the same 10 minute delay applies here too): https://ai.google.dev/gemini-api/docs/billing#project-spend-caps

  3. We are moving to disable the usage of unrestricted API keys in the Gemini API, should have more updates there soon.

  4. We now generate Auth keys by default for new users (more secure key which didn’t exist when the Gemini API was originally created a few years ago) and will have more to share there soon.

  5. You should generally avoid putting a key in client side code as if it is exposed, even with the restrictions above you can incur costs.

  6. In many cases, we can automatically detect when a key is visible on the public web and shut down those keys automatically for security reasons (this happened to me personally, I accidentally pushed my API key to the public API docs and it was shut down in minutes).

  7. By default, keys generated in Google AI Studio are restricted to just the Gemini API, no other services are enabled. However keys generated from other parts of Google Cloud have this cross service capability, you can double check keys and make sure they are restricted for just the resource you need.

  8. Pls email me and our team can take a look into this case (Lkilpatrick@google.com), we take this all very serious and have been pushing hard to land all the features mentioned above and more.

  9. We just started the prepaid billing rollout which means you have to pay ahead of time to use the Gemini API, this is rolled out to all new US billing accounts as of yesterday and rolling out globally right now. This is yet another way to give developers more control over their spending / costs and ensure you know what you are signing up for when using the Gemini API.

I hope this helps and sorry for the hassle on this experience, pls email me if there is more to chat about!

4

Hi,

Thanks for the detailed response, we really appreciate it. It is good to see that additional safeguards (like spend caps) are being introduced.

I will reach out via email with the details so your team can take a closer look.

Thanks again for taking the time to respond.

5

Great to see you here Logan. This is the proper way to deal with a fiasco like this one.