Is it safe to expose Firebase apiKey to the public?

javascript firebase
farmio picture farmio · May 27, 2016 · Viewed 120.6k times · Source

The Firebase Web-App guide states I should put the given apiKey in my Html to initialize Firebase:

// TODO: Replace with your project's customized code snippet
<script src="https://www.gstatic.com/firebasejs/3.0.2/firebase.js"></script>
<script>
  // Initialize Firebase
  var config = {
    apiKey: '<your-api-key>',
    authDomain: '<your-auth-domain>',
    databaseURL: '<your-database-url>',
    storageBucket: '<your-storage-bucket>'
  };
  firebase.initializeApp(config);
</script>

By doing so, the apiKey is exposed to every visitor. What is the purpose of that key and is it really meant to be public?

Answer

Frank van Puffelen picture Frank van Puffelen · May 27, 2016

The apiKey in this configuration snippet just identifies your Firebase project on the Google servers. It is not a security risk for someone to know it. In fact, it is necessary for them to know it, in order for them to interact with your Firebase project. This same configuration data is also included in every iOS and Android app that uses Firebase as its backend.

In that sense it is very similar to the database URL that identifies the back-end database associated with your project in the same snippet: https://<app-id>.firebaseio.com. See this question on why this is not a security risk: How to restrict Firebase data modification?, including the use of Firebase's server side security rules to ensure only authorized users can access the backend services.

If you want to learn how to secure all data access to your Firebase backend services is authorized, read up on the documentation on Firebase security rules. These rules control access to file storage and database access, and are enforced on the Firebase servers. So no matter if it's your code, or somebody else's code that uses you configuration data, it can only do what the security rules allow it to do.

If you'd like to reduce the risk of committing this configuration data to version control, consider using the SDK auto-configuration of Firebase Hosting. While the keys will still end up in the browser in the same format, they won't be hard-coded into your code anymore with that.

Related questions

Firebase Permission Denied

I'm relatively new to coding and am having trouble. I have this code to send data to firebase app.userid = app.user.uid var userRef = app.dataInfo.child(app.users); var useridRef = userRef.child(app.userid); useridRef.set({ locations: "", theme: "", …

Read More
How to delete/remove nodes on Firebase

I'm using Firebase for a web app. It's written in plain Javascript using no external libraries. I can "push" and retrieve data with '.on("child_added")', but '.remove()' does not work the way it says it …

Read More
How do I detect if a user is already logged in Firebase?

I'm using the firebase node api in my javascript files for Google login. firebase.initializeApp(config); let provider = new firebase.auth.GoogleAuthProvider(); firebase.auth().signInWithPopup(provider); This works fine and the user is able to login with his Google credentials. …

Read More