€54k spike in 13h from unrestricted Firebase browser key accessing Gemini APIs

Hello,

We are looking for guidance regarding an unexpected €54,000+ Gemini API charge that occurred within a few hours after enabling Firebase AI Logic on an existing Firebase project.

Background:

We created the project over a year ago and initially used it only for Firebase Authentication. Recently, we added a simple AI feature (generating a web snippet from a text prompt) and enabled Firebase AI Logic.

What happened:

Shortly after enabling this, we experienced a sudden and extreme spike in Gemini API usage. The traffic was not correlated with our actual users and appeared to be automated. The activity occurred within a short overnight window and stopped once we disabled the API and rotated credentials.

Additional observations:

• We had a budget alert (€80) and a cost anomaly alert, both of which triggered with a delay of a few hours
• By the time we reacted, costs were already around €28,000
• The final amount settled at €54,000+ due to delayed cost reporting

This describes our issue in more detail:

Aftermath:

We worked with Google Cloud support and provided logs and analysis. The charges were classified as valid usage because they originated from our project, and our request for a billing adjustment was ultimately denied.

This usage was clearly anomalous, not user-driven, and does not reflect intended or meaningful consumption of the service.

Questions:

• Has anyone encountered a similar issue after enabling Firebase AI Logic or Gemini?
• Are there recommended safeguards beyond App Check, quotas, and moving calls server-side?
• Is there any escalation path we may have missed for cases like this?

Any guidance or shared experience would be greatly appreciated.

4 Likes