Google API keys retain functionality for up to 23 minutes after deletion, a significant gap between stated behavior and actual operation. Security researcher findings expose that keys deleted through the Google Cloud Console continue working during this window, contradicting Google's documentation claiming immediate revocation.
The delay stems from cache propagation across Google's distributed infrastructure. When a user deletes an API key, the deletion command doesn't instantly reach all backend systems responsible for validating requests. Instead, cached copies of the key persist until the cache refreshes, typically between 15 and 23 minutes later.
This window presents a genuine attack vector. An attacker who obtains a deleted API key during this period can still access protected resources, submit API requests, and potentially extract sensitive data or perform unauthorized operations. The risk intensifies for organizations that rotate keys following suspected compromise. Security teams may believe a compromised key is neutralized within seconds, only to discover attackers continue exploitation minutes later.
Google acknowledged the behavior but frames it as acceptable. The company states the delay aligns with standard cloud practices and occurs transparently to most users. However, security researchers argue the documentation should explicitly warn of this lag, particularly for organizations handling sensitive workloads.
Organizations using Google Cloud Platform APIs should adjust incident response procedures accordingly. When revoking keys due to suspected compromise, teams should monitor API usage for at least 25 minutes post-deletion and implement additional authentication layers like IP allowlisting. For high-security applications, credential rotation protocols must account for the 23-minute overlap period.
Google has not announced plans to reduce the cache propagation window. The company recommends customers treat API key compromise as critical incidents and monitor for unauthorized access during the cache expiration period. Teams managing payment processing, authentication services, or other sensitive APIs should treat key deletion as a staged revocation rather than instantaneous termination.
This disclosure highlights how distributed systems introduce timing vulnerabilities that transcend