A security research report revealed that Google API keys remain active for up to 23 minutes after being deleted, contrary to user expectations of immediate deactivation. Researcher Joe Leon tested the revocation window, finding a median deactivation time of around 16 minutes. This delay poses significant risks, as attackers can exploit these keys until the deletion process is fully acknowledged.
Leon's tests showed variability in authentication success rates depending on region and other factors, complicating incident response for security teams. Aikido Security recommends a precautionary 30-minute window after deletion of API keys, as Google has not addressed the issue despite being informed.