Create the Gemini API key from Google AI Studio first. A created key only proves that a credential exists; it does not prove that the first API request can run. The usable route depends on the Google Cloud project behind the key, the region attached to the workload, billing or Free Tier state, the model chosen, active limits, and whether the key has already been exposed or restricted.
Before writing more code, run these six checks:
| Check first | Why it controls success | First action when it looks wrong |
|---|---|---|
| Project | The key is tied to a Google Cloud project, and project ownership controls billing, limits, usage history, and recovery. | Confirm that the key belongs to the same project used for billing, quota, and logs. |
| Region | Google AI Studio and Gemini API availability is limited to listed countries and territories. | Compare the official available-region list; as of April 27, 2026, Taiwan appears in the Gemini API list, while Mainland China, Hong Kong, and Macao do not appear in that AI Studio / Gemini API list. |
| Billing or Free Tier | Free Tier access is model and condition specific; Paid Tier requires an active billing setup and may require prepay. | Check project billing and Free Tier status before assuming every model is available. |
| Model | A valid key does not make every old model ID callable. Preview names can change or shut down. | Pick the model from current Google model documentation, not from an older tutorial. |
| Active limits | Limits are project-level and model-aware; extra keys inside the same project do not multiply quota. | Open AI Studio for the project and inspect RPM, TPM, RPD, and any active tier label. |
| Key safety | A leaked key can be blocked, abused, or billed unexpectedly. | Rotate the key, move it into server-side environment variables or a secret manager, and remove public copies. |
Where to create the Google AI Studio API key
The official starting point is Google AI Studio API Keys. Sign in with the Google account that should own the developer project, choose or create a Google Cloud project, then create a Gemini API key. Google's Gemini API key documentation frames the relationship clearly: Gemini API calls need an API key, and keys are created and managed in Google AI Studio.
The project choice matters more than the copy button. A key is not an isolated password. It belongs to a Google Cloud project that has owners, billing state, usage records, rate limits, and recovery paths. If a teammate sends a key from a different project, the application may call the same Gemini model name but use another budget, another limit pool, and another admin boundary.
New users may see Google create a default project after accepting Terms of Service. That can be fine for a first test, but teams should still name the project, know who owns it, and decide whether it is a disposable prototype or the project that will carry production usage. Confusing a default project with the real deployment project is one of the fastest ways to misread billing, quota, and error logs.
Copy the key only once, then store it outside public code. Google allows explicit key use for small tests, but the production habit should be server-side environment variables, deployment secrets, or a secret manager. Avoid frontend bundles, mobile apps, public repositories, screenshots, issue trackers, shared notebooks, and chat logs.
Google AI Studio also has a display boundary. It shows unrestricted keys or keys restricted to the Generative Language API. Deeper API-key restrictions live in Google Cloud Console. If a key exists in the Cloud project but does not look the way a tutorial screenshot shows, check the project and Cloud Console before creating duplicates.
The six checks that matter after key creation
Most failed first requests are not solved by creating another key. They are solved by checking the contract behind the key.
| Readiness block | Healthy state | Common wrong assumption |
|---|---|---|
| Project ownership | The key, billing view, quota view, and logs all point to the same Google Cloud project. | A key copied from any account behaves the same. |
| Region support | The developer surface and runtime location fit the Gemini API available-region list. | The consumer Gemini app working proves the API will work. |
| Billing or Free Tier | The target model is allowed for the current project state. | Free key creation equals free usage for every model. |
| Model status | The model ID is present in current Google model documentation. | A model ID from a 2025 video is still valid. |
| Active limits | RPM, TPM, RPD, and active tier state have enough room for the test. | More keys inside one project create more quota. |
| Security state | The key is not exposed, blocked, or committed into a client surface. | A leaked key can be kept if no one has used it yet. |
The order is deliberate. Project comes first because every later view depends on it. Region comes before code because unsupported locations can make a correct request fail. Billing and model status come before tuning because Free Tier eligibility and model access are separate. Limits and security come last because they often explain sudden failures after an integration worked once.
For deeper quota and Free Tier decisions, use the separate Gemini API Free Tier limits route. The setup task here is narrower: make the key safe and prove that the first request can run under the current project.
Put the key in an environment variable and make a small first request
The first request should be boring. It should prove that the application reads the key, calls a current model, and receives a response without burning tokens, concurrency, or debugging time.
Use an environment variable for local testing:
hljs bashexport GEMINI_API_KEY="put the real key in a local or server-side secret"
export MODEL_ID="choose a current model ID from Google model documentation"
A minimal curl request can keep the same boundaries clear:
hljs bashcurl "https://generativelanguage.googleapis.com/v1beta/models/${MODEL_ID}:generateContent?key=${GEMINI_API_KEY}" \
-H "Content-Type: application/json" \
-d '{
"contents": [
{
"parts": [
{ "text": "Reply with one short sentence." }
]
}
]
}'
The exact SDK can change, but the operating rule should not. Read the key from a private environment, keep the prompt small, use a current model ID, and test from the same project and runtime path that the application will use. Add files, tools, long context, retries, queues, and user traffic only after the first request is clean.
Browser applications need one extra stop rule. A Gemini API key is a credential that can spend quota and expose project usage. Do not place it in NEXT_PUBLIC_ variables, client-side JavaScript, downloadable mobile packages, static HTML, or any code path that users can inspect. The safer shape is browser to your backend, backend to Gemini API, key stored on the server side.
Free key creation is not the same as free usage
Google AI Studio can let you create a key without charging at the moment of creation. That does not mean every Gemini API model, feature, region, or traffic level is free. The key authenticates the request; the project owns usage state.
Google's rate limits documentation describes limits such as requests per minute, tokens per minute, and requests per day. Those limits are tied to the project and model state, not to a single key string. Multiple keys in the same project are useful for rotation, environment separation, and access hygiene, but they are not a quota multiplier.
Google's billing documentation separates Free Tier and Paid Tier. Free Tier can cover selected models and conditions. Paid Tier requires an active billing account and, on current setup surfaces, may require a prepay amount such as 10 USD. Because pricing, tier labels, credit treatment, and model rows can change, treat the billing surface as the source of record on the day of deployment.
| Decision | Check here | Avoid this shortcut |
|---|---|---|
| Is a model free for the current surface? | Current Gemini API pricing, billing, and model documentation. | An old screenshot or copied quota table. |
| How much can the project call now? | AI Studio active limits for the exact project. | A public RPM/RPD number from another account. |
| Why did the request hit 429? | Rate limits, usage, retry behavior, and active tier state. | Creating another same-project key first. |
| Should billing be enabled? | Workload reliability, privacy, model requirement, and budget owner. | Waiting until a customer-facing failure forces the decision. |
Free Tier is useful for learning, prototypes, and low-risk tests. Production traffic needs a different posture: budget alerts, ownership, logs, retry policy, data-handling review, and a plan for higher quota or billing. A key that works for a demo should not be treated as a production capacity plan.
Region support and 403 errors need route-specific debugging
Region availability must be checked against the developer route being used. Gemini in a consumer app, Google AI Studio, Gemini API, Vertex AI, Google Workspace, and Android Studio tooling are not the same availability contract.
For Google AI Studio and Gemini API key setup, use Google's available regions documentation. As of April 27, 2026, Taiwan appears in the official Gemini API available-region list. Mainland China, Hong Kong, and Macao do not appear in that AI Studio / Gemini API list. That statement is route-specific; it should not be reused as a claim about every Gemini consumer product or every Google Cloud AI surface.
A 403 PERMISSION_DENIED response should be treated as an ownership and eligibility problem before it is treated as a coding problem. Google's troubleshooting documentation points to causes such as wrong key, insufficient permission, unsupported Free Tier region, and authentication mismatch.
| Symptom | More likely cause | First check | Better next move |
|---|---|---|---|
403 PERMISSION_DENIED | Wrong project, region, permission, Free Tier condition, or auth route. | API key project, available regions, billing, model access. | Fix ownership or route before changing business logic. |
| A specific model fails | Model status changed, preview ended, billing or region does not fit. | Current Google model documentation. | Select a current model that the project can call. |
| AI Studio opens but API calls fail | UI access and API eligibility are different surfaces. | Key project, API region, Free Tier or Paid Tier state. | Debug the API route, not the consumer app. |
| Cloud notebook works in one place but not another | Runtime location or project state differs. | Runtime region, project, and credentials. | Move the workload to a supported route or project. |
For broader Gemini location issues, use the dedicated Gemini region availability route. The API-key setup path should stay focused on AI Studio, Gemini API, project ownership, and first-request recovery.
Recover from 429, unavailable models, and leaked keys in the right order
429 RESOURCE_EXHAUSTED usually means a limit dimension has been exhausted. The exhausted dimension may be requests, tokens, daily volume, active tier capacity, or retry pressure. A fast loop that retries every failure can turn a small quota event into a larger outage.
Use a low-cost recovery order:
- Confirm the Google Cloud project behind the key.
- Open AI Studio active limits for that project.
- Identify whether RPM, TPM, RPD, or another dimension is the blocker.
- Reduce concurrency and add exponential backoff.
- Shorten prompts, cache repeated work, and stop duplicate retries.
- Confirm that the target model fits the current billing and tier state.
- Request higher quota or move to a billed project when normal traffic still hits limits.
Model failures need a separate habit. Do not copy a different preview ID from a video or forum post. Google's models documentation is the current source for model names and status. One concrete boundary matters here: Gemini 3 Pro Preview was shut down on March 9, 2026, so old examples that target it are not a reliable setup baseline.
Leaked keys need rotation, not optimism. If a key has been committed, pasted, logged, shown in a screenshot, uploaded into a client bundle, or shared through an untrusted tool, create a new key, update server-side secrets, remove public copies, inspect usage and billing, and disable or delete the compromised key. Google can proactively block leaked API keys, so keeping the old key in production is not a recovery plan.
Security also belongs in the setup checklist. A ready integration should be able to answer who can read the key, which project records usage, how the key is rotated, and who handles billing anomalies. If those answers are unclear, the setup is not finished.
AI Studio, Vertex AI, Android Studio, and gateways are different routes
Several tutorials and product snippets use similar words for different products. Separate the route before copying setup steps.
| Route | What it owns | Best fit | Boundary to keep |
|---|---|---|---|
| Google AI Studio / Gemini API key | A fast developer credential for Gemini API calls. | Individual developers, prototypes, small backend integrations. | Region, billing, Free Tier, active limits, and key security are still project decisions. |
| Vertex AI | Google Cloud's enterprise-oriented generative AI route. | Teams already using GCP IAM, regional endpoints, enterprise governance, and Cloud billing. | Credential, endpoint, IAM, pricing, and data boundaries differ from AI Studio quick keys. |
| Android Studio Gemini API key setup | IDE and Android development integration. | Android developers wiring Gemini into the local toolchain or app workflow. | It is not a general production secret-management plan for every backend. |
| Third-party gateway | A separate platform that may wrap models, billing, logs, support, and compatibility. | Developers who intentionally need a provider contract outside the official Google route. | It is not proof that official Google AI Studio region, pricing, or quota limits disappeared. |
For the primary setup task, use the official AI Studio key route. Move to Vertex AI when the project needs Cloud IAM, regional endpoints, enterprise governance, or existing GCP controls. Evaluate gateways only as separate provider contracts with their own model coverage, pricing, logs, support, and exit plan. Do not treat any gateway as an official Google workaround.
Final readiness checklist
The setup is ready when every row has a concrete answer:
| Question | Passing answer |
|---|---|
| Where did the key come from? | Google AI Studio API Keys, with a known Google Cloud project owner. |
| Where is the key stored? | Local or server-side environment variables, deployment secrets, or a secret manager. |
| Which model is called? | A current model ID from Google model documentation, not a deprecated preview ID. |
| What is free and what is paid? | Free Tier and Paid Tier status confirmed through current billing and pricing surfaces. |
| What are the active limits? | RPM, TPM, RPD, and tier state checked in AI Studio for the same project. |
| What happens on 403? | Project, region, permission, billing, and model eligibility are checked before code rewrites. |
| What happens on 429? | Backoff, concurrency reduction, prompt trimming, caching, and quota review are in place. |
| What happens after a leak? | New key generated, secrets updated, public copies removed, usage inspected, old key disabled. |
If any row is still unknown, the key has been created but not operationally set up. Resolve the unknown before connecting real user traffic or long-running jobs.
FAQ
Is a Google AI Studio API key free?
Creating the key does not normally equal a charge by itself, but usage depends on the project, model, region, Free Tier eligibility, billing state, and active limits. Check current Google billing and pricing surfaces before calling a workload free.
Should I use GEMINI_API_KEY or GOOGLE_API_KEY?
Google's Gemini API key documentation says Gemini API libraries can use GEMINI_API_KEY or GOOGLE_API_KEY. Pick one convention for the team, document where it is stored, and keep the value out of frontend and public code.
Can multiple API keys increase Gemini API quota?
No. Quota belongs to the project and model state, not to each key string. Multiple keys in one project help with rotation, environment separation, and security management, but they do not multiply active limits.
Why does a new key return 403 PERMISSION_DENIED?
Common causes include the wrong project, insufficient permission, unsupported region or Free Tier location, missing billing requirement, unavailable model, or authentication mismatch. Check project, region, billing, and model status before rewriting application code.
Why did the integration work yesterday and return 429 today?
The project may have exhausted RPM, TPM, RPD, or another active limit. Retry loops, longer prompts, higher traffic, model changes, and project tier changes can all make a previously working request fail.
Can Mainland China, Hong Kong, or Macao use Google AI Studio / Gemini API directly?
As of April 27, 2026, those three locations do not appear in Google's official AI Studio / Gemini API available-region list, while Taiwan appears in the list. Re-check the official region page before deployment because region support can change.
Does Gemini app access prove that Gemini API access works?
No. Gemini consumer surfaces, AI Studio, Gemini API, Vertex AI, Workspace, and Android Studio tooling have different product, region, account, billing, and data boundaries. Debug the route that the key actually uses.
What should I do if the API key leaked?
Create a new key, update server-side environment variables or secrets, remove the leaked value from public locations, inspect usage and billing, then disable or delete the compromised key. Do not keep using a key that has been exposed.
When should I choose Vertex AI instead of AI Studio?
Use AI Studio / Gemini API for quick developer setup and small integrations. Choose Vertex AI when the team needs GCP IAM, regional endpoints, enterprise governance, Cloud billing controls, and a Cloud-native deployment contract.
Which model ID should setup examples use?
Use a configurable MODEL_ID and fill it from current Google model documentation. Avoid hardcoding old preview IDs. Model availability, names, and preview status can change independently from the API key itself.
