The problem is Google explicitly stating that those API keys are not secret and should be public, which indeed was true until Gemini came around.