Simon Willison’s Weblog

Subscribe

Thursday, 26th February 2026

Release datasette 1.0a25 — An open source multi-tool for exploring and publishing data
26th Feb 2026, 12:50 am

If people are only using this a couple of times a week at most, and can’t think of anything to do with it on the average day, it hasn’t changed their life. OpenAI itself admits the problem, talking about a ‘capability gap’ between what the models can do and what people do with them, which seems to me like a way to avoid saying that you don’t have clear product-market fit.

Hence, OpenAI’s ad project is partly just about covering the cost of serving the 90% or more of users who don’t pay (and capturing an early lead with advertisers and early learning in how this might work), but more strategically, it’s also about making it possible to give those users the latest and most powerful (i.e. expensive) models, in the hope that this will deepen their engagement.

Benedict Evans, How will OpenAI compete?

# 3:44 am / ai, openai, chatgpt, benedict-evans

Release datasette-auth-tokens 0.4a12 — Datasette plugin for authenticating access using API tokens
26th Feb 2026, 4:05 am

Google API Keys Weren’t Secrets. But then Gemini Changed the Rules. (via) Yikes! It turns out Gemini and Google Maps (and other services) share the same API keys... but Google Maps API keys are designed to be public, since they are embedded directly in web pages. Gemini API keys can be used to access private files and make billable API requests, so they absolutely should not be shared.

If you don't understand this it's very easy to accidentally enable Gemini billing on a previously public API key that exists in the wild already.

What makes this a privilege escalation rather than a misconfiguration is the sequence of events. 

  1. A developer creates an API key and embeds it in a website for Maps. (At that point, the key is harmless.) 
  2. The Gemini API gets enabled on the same project. (Now that same key can access sensitive Gemini endpoints.) 
  3. The developer is never warned that the keys' privileges changed underneath it. (The key went from public identifier to secret credential).

Truffle Security found 2,863 API keys in the November 2025 Common Crawl that could access Gemini, verified by hitting the /models listing endpoint. This included several keys belonging to Google themselves, one of which had been deployed since February 2023 (according to the Internet Archive) hence predating the Gemini API that it could now access.

Google are working to revoke affected keys but it's still a good idea to check that none of yours are affected by this.

# 4:28 am / api-keys, google, security, gemini

Tool Mobile Data Tables: Responsive Patterns Demo
26th Feb 2026, 5:49 am
Wednesday, 25th February 2026

2026 » February

MTWTFSS
      1
2345678
9101112131415
16171819202122
232425262728