Is it safe to expose your Firebase API key to the public?

Cristina Gottardi

In a word, yes. As stated by one of the Firebase team engineers, your Firebase API key only identifies your project with Google’s servers. It is not a security risk to expose it.

What about other API keys?

It’s definitely worth being prudent when it comes to securing the API keys that are meant to be kept private.

Bruno Pedro has a great guide on how to safely store API keys in your project. It’s well worth a read if you’re looking for better private key management.

What can happen if I accidentally expose a private key?

Andrew Hoffman had his private AWS key exposed for 5 minutes. In that time his AWS servers were commandeered by bots to mine bitcoin. This is actually rather impressive (assuming you’re not the victim).

What should I do if I have already committed a private key to my repository?

GitHub has a handy article which explains how you can remove sensitive data from a repository. I followed this myself when I needed to take a repository from private to public access.

The repository in my case contained the code for a Chrome extension I had created and decided to make open source — mainly due to the fact that many tech-savvy users will only ever install extensions that are open source due to the large attack vectors they expose.

So to recapitulate, yes it’s fine to expose your Firebase API key. If you have already exposed a different key that was supposed to be kept private, there are options available to mitigate the damage done.