An API key is a unique string that's used to route requests to your Firebase project when interacting with Firebase and Google services. This page describes basic information about API keys as well as best practices for using and managing API keys with Firebase apps.
General information about API keys and Firebase
API keys for Firebase are different from typical API keys
Unlike how API keys are typically used, API keys for Firebase services are not used to control access to backend resources; that can only be done with Firebase Security Rules (to control which users can access resources) and App Check (to control which apps can access resources).
Usually, you need to fastidiously guard API keys (for example, by using a vault service or setting the keys as environment variables); however, API keys for Firebase services are ok to include in code or checked-in config files.
Although API keys for Firebase services are safe to include in code, there are a few specific cases when you should enforce limits for your API key; for example, if you're using Firebase ML, Firebase Authentication with the email/password sign-in method, or a billable Google Cloud API. Learn more about these cases later on this page.
Creating API keys
A Firebase project can have many API keys, but each API key can only be associated with a single Firebase project.
Firebase automatically creates API keys for your project when you do any of the following:
- Create a Firebase project >
- Create a Firebase Apple App >
- Create a Firebase Android App >
Finding your API keys
You can view and manage all your project's API keys in the APIs & Services > Credentials panel in the Google Cloud console.
You can also find which API key is automatically matched to a Firebase App in the following places. By default, all of your project's Firebase Apps for the same platform (Apple vs Android vs Web) will use the same API key.
Firebase Apple Apps — Find an app's auto-matched API key in the Firebase config file,
, in the
Firebase Android Apps — Find an app's auto-matched API key in the Firebase config file,
, in the
Firebase Web Apps — Find an app's auto-matched API key in the Firebase config object, in the
Using an API key
API keys are used to identify your Firebase project when interacting with Firebase/Google services. Specifically, they're used to associate API requests with your project for quota and billing. They're also useful for accessing public data.
For example, you can explicitly use an API key by passing its value into a REST API call as a query parameter. This example shows how you might make a request to the Dynamic Links link shortener API:
When your app makes a call to a Firebase API, your app will automatically look in the Firebase config file/object for your project's API key. You can, however, set your API keys using a different mechanism, including environment variables.
Apply restrictions to API keys (recommended)
Although it's not necessary to treat an API key for Firebase services as a secret, there are some specific cases (see below) in which you might want to take additional measures to protect your project from misuse of the API key.
Tighten quota if you use password-based Authentication
If you use password-based Firebase Authentication and someone gets hold of your API key, they will not be able to access any of your Firebase project's database or Cloud Storage data as long as this data is protected by Firebase Security Rules. They could, however, use your API key to access Firebase's authentication endpoints and make authentication requests against your project.
To mitigate against the possibility that someone might misuse an API key to
attempt a brute force attack, you can tighten the default quota of the
identitytoolkit.googleapis.com endpoints to reflect the normal traffic
expectations of your app. Be aware that if you tighten this quota and your app
suddenly gains users, you might get sign-in errors until you increase the quota.
You can change your project's API quotas in the
Google Cloud console.
Use separate, restricted API keys for specific types of APIs
Although API keys used for Firebase services do not generally need to be treated as secret, you should take some extra precautions with API keys used to grant access to Google Cloud APIs that you've manually enabled.
If you use a Google Cloud API (on any platform) that is not automatically enabled by Firebase (meaning you enabled it yourself), you should consider creating separate, restricted API keys for use with those APIs. This is particularly important if the API is for a billable Google Cloud service.
For example, if you use Firebase ML's Cloud Vision APIs on iOS, you should create separate API keys that you use only for accessing the Cloud Vision APIs.
By using separate, restricted API keys for non-Firebase APIs, you can rotate or replace the keys when necessary and add additional restrictions to the API keys without disrupting your use of Firebase services.
Expand this section to learn how to create API-specific keys
These instructions describe how to create a separate, restricted API key for a
fake API called
Super Service API.
Step 1: Configure your existing API keys to disallow access to
Super Service API
Open the Credentials page of the Google Cloud console. When prompted, select your project.
For each existing API key in the list, open the editing view.
In the API restrictions section, select Restrict key, then add to the list all of the APIs to which you want the API key to have access. Make sure to not include the API for which you're creating a separate API key (in this example,
Super Service API).
When you configure an API key's API restrictions, you are explicitly declaring the APIs to which the key has access. By default, when the API restrictions section has Don't restrict key selected, an API key can be used to access any API that is enabled for the project.
Now, your existing API keys will not grant access to
Super Service API, but
each key will continue to work for any APIs that you added to its
API restrictions list.
Step 2: Create and use a new API key for access to
Super Service API
Return to the Credentials page. Be sure your Firebase project is still selected.
Click Create credentials > API key. Take note of the new API key, then click Restrict key.
In the API restrictions section, select Restrict key, then add to the list only the
Super Service API.
This new API key grants access only to the
Super Service API.
Configure your app and services to use the new API key.
Use environment-specific API keys (recommended)
If you set up different Firebase projects for different environments, such as staging and production, it's important that each app instance interacts with its corresponding Firebase project. For example, your staging app instance should never talk to your production Firebase project. This also means that your staging app needs to use API keys associated with your staging Firebase project.
To reduce problems promoting code changes from development to staging to production, instead of including API keys in the code itself, either set them as environment variables or include them in a configuration file.
Note that if you're using the Firebase Local Emulator Suite for development along with Firebase ML, you must create and use a debug-only API key. Instructions for creating that kind of key are found in the Firebase ML docs.
How can I determine which API key
is associated with my Firebase App?
You can use any of the following options to determine which API key is associated with your Firebase App:
Go to Project settings, and then scroll down to the Your apps card.
Select the app of interest.
Obtain the Firebase config file/object for the app of interest, and then find its API key:
Apple: Download the
GoogleService-Info.plist, and then find the
Android: Download the
google-services.json, find the config for the app of interest (look for its package name), and then find the
Web: Select the Config option, and then find the
Obtain the Firebase config file/object for the app of interest by running the following command:
firebase apps:sdkconfig PLATFORM FIREBASE_APP_ID
- PLATFORM (one of):
- FIREBASE_APP_ID: the Firebase-assigned unique identifier for your Firebase App (find your App ID)
- PLATFORM (one of):
In the app's printed Firebase configuration, find its API key:
Apple: Find the
Android: Find the config for the app of interest (look for its package name), and then find the
Web: Find the
apiKeyId(the UID) of the API key by calling the applicable endpoint for the app of interest, and then passing the
apiKeyIdvalue to the next step.
Obtain the API key string by calling
have two API keys listed for the same Firebase App in my Firebase config
Firebase Apple Apps — Each app has its own config file and can have only one API key listed.
Firebase Android Apps — All Android apps in the Firebase project are listed in the same config file, and each app can only have one API key listed. Each app in this config file can have a different key listed, though.
Firebase Web Apps — Each app has its own config object and can have only one API key listed.
You can use multiple API keys with one app, though. You must provide a mechanism for your app to access these other API keys, like via an environment variable. The mechanism to access the other API keys just can't depend on those API keys being listed in your Firebase config file/object.
How does Firebase
know which API key to match to an app (like in the Firebase config
When you first obtain your app's Firebase config file/object, Firebase checks if there are any existing API keys in your project that have "Application Restrictions" that match the app (for example, a matching bundle ID for the Apple app).
If Firebase doesn't find any restricted keys that match, then it will list in
the config file/object the
iOS key for Apple apps, the
Android key for
Android apps, and the
Browser key for web apps (assuming that these keys exist
and have no "Application Restrictions" that keep them from matching to that
Can I manually
delete the API key and field from my Firebase config file/object?
Yes, you can manually delete your API key from your config file/object. However, you must provide some other mechanism for your app to access an API key (like via an environment variable). Otherwise, any calls to Firebase services will fail.
Can I manually
edit my Firebase config file/object with different API keys?
Yes, you can manually edit a config file/object to associate a different API key with an app.
Note that if you re-obtain your app's config file/object from the console, it will always list the API keys that Firebase automatically matches to that app. So, you'll need to repeat your manual edits, as needed.
Can I move an
API key from one Firebase project to another?
No, an API key only identifies a specific project and cannot be moved to another project.
I got an email or error that
my API key is invalid. What happened and how do I fix this?
Here are a few of the most common causes for invalid API keys:
The API key has "API Key Restrictions" applied to it that make it unmatchable to the app attempting to use the key ("Application Restrictions") or unusable for the API being called ("API Restrictions").
The API key was deleted from the project in the Google Cloud console.
The API key was not created for the Project ID listed in the app's Firebase config file/object.
One way to fix this issue is to obtain the updated version of your app's Firebase config file/object, then replace your old config file/object with the new updated file/object. Before sending a config file for download or displaying a config object in the console, Firebase checks that the API key(s) listed match to the app(s).
How do I
fix this error? "Failed to fetch this Firebase app's measurement ID from the
The API key used by your web app probably has "API Restrictions" applied to it. If this is the case, make sure that the Firebase Management API is in the list of allowed APIs.
What happens if I
delete an API key listed in the Google Cloud console?
If you delete an API key that's in use by an app, then API calls from that app will fail. You may get reports, emails, or errors that you're attempting to use an API key that is invalid.
Deleting an API key is permanent and cannot be undone.