Prepare your ML Kit iOS app for production

If your iOS app uses one of ML Kit's cloud APIs, before you launch your app in production, you should take some additional steps to prevent unauthorized API access.

1. Reduce the scope of existing API keys

First, configure your existing API keys to disallow access to the Cloud Vision API:

  1. Open the Credentials page of the Cloud console. When prompted, select the project with the same name as your Firebase project.

  2. For each API key in the list, open the editing view, and in the Key Restrictions section, add all of the available APIs except the Cloud Vision API to the list.

    When you configure an API key's API Restrictions, you are explicitly declaring the APIs the key grants access to. By default, when the API Restrictions section is empty, an API key can be used to access any API that is enabled for the project.

Now, your existing API keys will not grant access to cloud ML services, but they will continue to work for any APIs you enabled yourself, or that were enabled automatically when you set up Firebase.

Note that if you enable any additional APIs in the future, you must also add them to the API key's API Restrictions list.

2. Create a new API key for use with ML Kit

Next, create a new API key for ML Kit that only allows calls to the Cloud Vision API:

  1. Return to the Credentials page. Be sure your Firebase project is still selected.

  2. Click Create credentials > API key. Take note of the new API key, and then click Restrict key.

  3. In the Key Restrictions section, add only the Cloud Vision API to the list.

This API key grants access only to the Cloud Vision API and can be used by ML Kit to access cloud-based models.

3. Call Cloud APIs using your ML Kit API key

Finally, in your app, configure ML Kit to use your new API key.

Because the ML Kit API key allows unauthenticated access to the Cloud Vision API, it's important to keep the key confidential to prevent unauthorized use and charges to your billing account. To do so, you should refrain from including your API key in your app binary. Instead, at app runtime, verify that a known good user is signed in, and only then, retrieve the API key from a server.

Even when these practices are observed, it is possible for an API key to be compromised. You should take steps to mitigate abuse of stolen keys such as implementing key rotation policies and issuing different keys to different groups of users.

After your app has safely acquired the API key, when you want to call an ML Kit Cloud API, specify the key:

Swift

if let cloudVisionKey = getYourApiKey() {  // See note above about securing your API key
    let options = VisionCloudDetectorOptions()
    options.apiKeyOverride = cloudVisionKey
    let cloudDetector = Vision.vision().cloudLandmarkDetector(options: options)
}

Objective-C

NSString *cloudVisionKey = [self getYourApiKey];  // See note above about securing your API key
if (cloudVisionKey != nil) {
    FIRVisionCloudDetectorOptions *options =
            [[FIRVisionCloudDetectorOptions alloc] init];
    options.APIKeyOverride = cloudVisionKey;
    FIRVisionCloudLandmarkDetector *landmarkDetector =
            [vision cloudLandmarkDetectorWithOptions:options];
}

In addition, you should follow the general advice in Securing an API key.

Next steps

See the launch checklist for information on preparing your app to launch when using other Firebase features.

Send feedback about...

Need help? Visit our support page.