“Is it safe to expose your Firebase API key?’ In short, yes. The Firebase API key mainly helps Google servers recognize your project and isn’t a big security threat if it’s exposed. But when it comes to other API keys, it’s important to be cautious and keep them private.

If you have not read my paper on WeChat mini-apps exposing the secrets API secret keys, then check it out below:

Now, what if you accidentally reveal a private key? Andrew Hoffman’s experience might give you an idea. His private AWS key got exposed briefly, and during that time, bots took over his AWS servers to mine bitcoin. While it’s an impressive feat, being the victim is no fun. If you’ve mistakenly committed a private key to your repository, GitHub has a useful article explaining how to remove sensitive data.

As it is stated in the firebase documentation, “Unlike how API keys are typically used, API keys for Firebase services are not used to control access to backend resources; that can only be done with Firebase Security Rules (to control which users can access resources) and App Check (to control which apps can access resources).” So, keeping the security of the keys aside, you must focus on configuring proper Security Rules and App Check controls. On the other hand, the Firebase API keys should be kept safely when making use of services like Firebase ML, Firebase Authentication with the email and password sign-in methods, or billable Google cloud API. In these cases, the attackers with the possession of these API keys can cause DOS attacks against these services. So, it is necessary to implement rate limiting to all the requests made to the Firebase.

If you employ password-based Firebase Authentication and someone obtains your API key, they won’t gain access to your Firebase project’s database or Cloud Storage data, provided this data is safeguarded by Firebase Security Rules. However, they could utilize your API key to approach Firebase’s authentication endpoints and initiate authentication requests within your project.