| ▲ | voidUpdate 6 hours ago | |||||||
> This makes sense. These keys were designed as project identifiers for billing, and can be further restricted with (bypassable) controls like HTTP referer allow-listing. They were not designed as authentication credentials. Can't you just run up a huge bill for a developer by spamming requests with their key? I don't see how this wasn't always an issue? | ||||||||
| ▲ | michaelt 4 hours ago | parent | next [-] | |||||||
Keys could have certain restrictions [1] such as HTTP Referer, which meant you couldn't just embed a map on your website and charge a different website for the views. Not perfect protection of course - an attacker could spam requests with all the right headers if they wanted to - but it removes one of the big motivations for copying someone else's API key. [1] https://docs.cloud.google.com/api-keys/docs/add-restrictions... | ||||||||
| ||||||||
| ▲ | chinathrow 6 hours ago | parent | prev [-] | |||||||
I guess this was an issue all along - but the cost per request is most def way higher for LLM API calls than for e.g. a Maps API call. | ||||||||
| ||||||||