Google Gemini is one of the most widely used LLM providers for AI builders. Getting started with getting gemini api key setup is straightforward, but the security practices that follow are just as important as the setup itself.
What is a Gemini API key?
A Gemini API key is a credential issued by Google that authenticates your application's requests to the Gemini models. You create it through Google AI Studio, and it is tied to a Google Cloud project for billing. The key authorizes usage and ties any charges to your account. Without it, Gemini API calls return authentication errors.
Why does Gemini API key security matter?
An exposed Gemini key gives anyone the ability to generate inference charges on your Google Cloud project. Because Google Cloud is often used for infrastructure as well as AI, a leaked key in a broader cloud project may grant access beyond just the Gemini API. Palo Alto Networks reported API attacks increased 41% year over year in 2025. Getting a Gemini API key is easy enough that many developers do it quickly and skip the security steps, which is exactly when accidental exposure tends to happen.
How do I get and secure a Gemini API key?
Getting the key:
- Go to aistudio.google.com and sign in with your Google account.
- Click Get API key in the left navigation, or go directly to aistudio.google.com/api-keys.
- Click Create API key. Choose Create API key in a new project for the simplest setup, or select an existing Google Cloud project.
- Copy the key value and store it in a password manager or secrets manager. AI Studio does allow you to view the key again later, but saving it immediately is the safer habit.
Securing the key:
Use environment variables. Set the key as GEMINI_API_KEY in your shell environment. The current google-genai SDK reads this variable automatically when you call genai.Client() with no arguments. Add the variable to your shell profile (~/.bashrc, ~/.zshrc) rather than writing it into project files. Avoid setting both GEMINI_API_KEY and GOOGLE_API_KEY simultaneously — if both are present, GOOGLE_API_KEY takes precedence and the SDK logs a warning you will likely miss.
Restrict the key in AI Studio. Starting June 19, 2026, the Gemini API will block unrestricted traffic keys. Go to aistudio.google.com/api-keys and check whether your key shows an "unrestricted" tag. If it does, click Restrict to Gemini API to fix it in one step. Keys created through AI Studio in 2026 are typically already restricted to the Generative Language API by default.
Set a quota limit. In the Google Cloud Console under APIs and Services, configure a quota limit or budget alert for the Gemini API. This caps the damage if the key is misused.
Do not store the key in your project directory. Avoid creating a .env file inside your project folder that contains the key. If you use a .env file, add it to .gitignore before writing any credentials into it.
Use service accounts for production. For production workloads, use a Google Cloud service account with Workload Identity rather than an API key. Service accounts support granular IAM permissions and do not require long-lived static credentials.
What are common mistakes to avoid?
- Creating the key directly in a Google Cloud project used for production infrastructure
- Not setting API restrictions so the key works for all Google Cloud services
- Storing the key in
settings.py,config.py, or similar Python configuration files - Skipping budget alerts until the project is in production
- Not restricting which IPs or referrers can use the key
