• 0
name Punditsdkoslkdosdkoskdo

Is it safe to expose Firebase apiKey to the public?

The firebase Web-App guide states i should put the given apiKey in my Html to initialize firebase:

// TODO: Replace with your project's customized code snippet
<script src=""></script>
  // Initialize Firebase
  var config = {
    apiKey: '<your-api-key>',
    authDomain: '<your-auth-domain>',
    databaseURL: '<your-database-url>',
    storageBucket: '<your-storage-bucket>'

By doing so the apiKey is exposed to every visitor. What is the purpose of that key and is it really meant to be public?

The apiKey essentially just identifies your Firebase project on the Google servers. It is not a security risk for someone to know it. In fact, it is necessary for them to know it, in order for them to interact with your Firebase project.

In that sense it is very similar to the database URL that Firebase has historically been used to identify the back-end: https://<app-id>

  • 0
Reply Report