Is the Firebase apiKey a secret? (No — and here’s why)
The Firebase apiKey is safe to expose in client code. It’s an identifier, not a credential. Here’s what actually protects a Firebase app.
If a scanner told you your Firebase apiKey is "leaked," it’s wrong. Google’s own documentation says the Firebase apiKey is safe to include in client code — it identifies your project to Google; it does not grant access to your data.
What actually protects a Firebase app
- Firebase Security Rules (Firestore / Realtime DB / Storage) — these decide who can read and write. This is your real lock.
- Authentication — who the user is.
- App Check — blocks requests from clients that aren’t your app.
So the apiKey being visible is normal. What you should worry about is whether your Security Rules are locked down — a database left in "test mode" with open rules is the real risk, and that requires verifying ownership to test safely.
What you SHOULD keep secret
Firebase Admin SDK service-account credentials (a private key JSON) must never ship to the browser — those do grant full access. That’s different from the public web apiKey.
Shipshape will not flag your Firebase apiKey. It does flag genuinely dangerous things like an embedded private key.
FAQ
Is the Firebase apiKey a secret?
No. Google states the Firebase apiKey is safe to include in client-side code. It identifies your project; it does not grant data access.
What protects my Firebase data then?
Firebase Security Rules, Authentication, and App Check — not the apiKey. Open/test-mode rules are the real risk.
What Firebase credential IS secret?
The Admin SDK service-account private key. That must stay server-side only.
Related questions
- Can I just ask ChatGPT to check my app’s security?
- The vibe-coder’s pre-launch checklist (Lovable, Bolt, Replit, v0)
- How do I know if my Supabase database is exposed?
- I leaked my Supabase service_role key — what now?