This is a submission for the Google I/O Writing Challenge Firebase AI Logic is genuinely exciting. It went GA at Google I/O 2026, meaning you can call Gemini directly from your web or mobile app: no backend server, no API key in your bundle, no infrastructure to manage. The developer experience is real. But putting an AI endpoint on the internet creates an attack surface. And most of the posts I have read including some in this challenge — cover only one of the security mechanisms Google shipped. There are four. They compose. This post walks through all of them. The Threat Model: What You Are Actually Defending Against Before any code, let's be precise about what can go wrong. Quota exhaustion anyone who finds your endpoint and scripts against it drains your token budget. Every AI call has a direct billing impact. Prompt injection if your system instructions live in client code, they can be extracted through binary decompilation or network interception and then exploited.…