If it isn’t secure, why Google is including this in the SDK. Wasn’t the idea of Firebase actually not to have a backend (server code) different from cloud functions. You’re saying “you just need to get the keys”, but that would’t work if you’re on different domain. Also I just saw there is a blog post on how to integrate reCaptcha — something that gives a bit more security vs bots, it is also limited on the domain name. Plus if rules are used correctly, they also limit the attacker to get the whole data. For me the Server SDK was made in order to give another way to developers to manage users, basically giving them some part of the Firebase Admin capabilities. To me it sounds like as a creator of the server SDKs for .Net and Node.js you find they are not widely used and you feel that you need to make some advertisment about them. No offence but I really would like to get answers.