401 / 403 PERMISSION_DENIED - Gemini CLI authentication errors

Error text / 报错原文

• 401 Unauthorized
• 403 PERMISSION_DENIED
• API key not valid
• Generative Language API has not been used

What it means

Gemini CLI cannot authenticate to the Google AI API, or the project behind the key is not allowed to call the required service.

Most common causes

• GEMINI_API_KEY is missing in the shell used by the CLI
• The key belongs to a project without the API enabled
• OAuth cache is expired or corrupt
• API key restrictions do not allow the current host or API

Fastest fix

• Print the environment variable in the same terminal
• Enable the required API in Google Cloud Console
• Regenerate a restricted key if the old one was revoked
• Clear CLI OAuth cache only after confirming the key path

Safe fix

• Use different keys for local, CI, and production
• Restrict keys to the minimum APIs
• Keep keys in secret stores or shell profiles
• Document which auth mode the project uses

What not to do

• Do not commit .env files containing API keys
• Do not remove key restrictions to fix a local shell issue
• Do not mix OAuth and API key auth without knowing precedence

How to confirm the fix

Run the smallest reproducible command first, then retry the agent task only after authentication, quota, and tool discovery are stable.

echo $GEMINI_API_KEY
gemini --version
gcloud services list --enabled | grep generative

Related errors

• Not logged in - Please run /login - Claude Code →
• Failed to exchange authorization code for token - Antigravity →
• Failed to get OAuth token: state syncing error: key not found - Antigravity →
• 429 Too Many Requests / quota exceeded - Gemini CLI →
• DISCONNECTED - Gemini CLI MCP server is not connected or has errors →
• OAuth token expired or revoked - AI coding tools and MCP →

Related tools

• MCP Config Generator →
• JSON Formatter →
• Docker Compose Generator →
• JWT Decoder →
• Regex Tester →
• Hash Generator →
• URL Encoder →

Sources

• Gemini CLI MCP server docs ↗