IssueTracker

Problem you have encountered:

The Gemini API requires API keys to be included as a query parameter (?key=API_KEY). This is a security risk because URLs are logged in:

• Web servers (nginx, apache, cloudflare, etc.)
• Reverse proxies and CDNs
• Browser history and referrer headers
• Third-party monitoring/logging tools (Datadog, Sentry, etc.)

This increases the chance of accidental key exposure. Other major APIs (Google Cloud, OpenAI, AWS) use Authorization: Bearer <token> headers to prevent this.

This design may violate OWASP API Security Top 10, particularly:

• API3:2019 - Excessive Data Exposure (secrets in logs)
• API2:2019 - Broken User Authentication (risk of API key compromise)

What you expected to happen:

The API should support authentication via Authorization: Bearer <token> to prevent keys from being exposed in logs.

Steps to reproduce:

1. Follow the official documentation: https://ai.google.dev/tutorials/rest_quickstart
2. Run the example curl command:

   curl "https://generativelanguage.googleapis.com/v1beta/models/gemini-1.5-flash:generateContent?key=YOUR_API_KEY" \
   -H 'Content-Type: application/json' \
   -X POST \
   -d '{
     "contents": [{
       "parts": [{"text": "Explain how AI works"}]
     }]
   }'
   

3. Observe that the API key is in the URL, which can be logged in:
   • Shell history (history command)
   • Server logs
   • Proxy/CDN logs

Other information (workarounds, docs consulted, etc.):

• No official workaround exists; the API requires keys in URLs.
• Possible (but flawed) workarounds:
  • Using a reverse proxy to inject the key.
  • Manually scrubbing logs (not foolproof).
  • Avoiding logging full URLs (often impractical).
• Google Cloud APIs already use Authorization: Bearer <token>—Gemini API should follow the same best practice.

This should be addressed urgently to prevent unintentional API key leaks.