Learn about using and managing API keys for Firebase

An API key is a unique string that's used to route requests to your Firebase project when interacting with Firebase and Google services. This page describes basic information about API keys as well as best practices for using and managing API keys with Firebase apps.

General information about API keys and Firebase

API keys for Firebase are different from typical API keys

Unlike how API keys are typically used, API keys for Firebase services are not used to control access to backend resources; that can only be done with Firebase Security Rules (to control which users can access resources) and App Check (to control which apps can access resources).

Usually, you need to fastidiously guard API keys (for example, by using a vault service or setting the keys as environment variables); however, API keys for Firebase services are ok to include in code or checked-in config files.

Although API keys for Firebase services are safe to include in code, there are a few specific cases when you should enforce limits for your API key; for example, if you're using Firebase ML, Firebase Authentication with the email/password sign-in method, or a billable Google Cloud API. Learn more about these cases later on this page.

Creating API keys

A Firebase project can have many API keys, but each API key can only be associated with a single Firebase project.

API keys automatically created by Firebase for your Firebase Apps

Firebase automatically creates API keys for your project when you do any of the following:

  • Create a Firebase project > Browser key auto-created
  • Create a Firebase Apple App > iOS key auto-created
  • Create a Firebase Android App > Android key auto-created

You can also create your own API keys in the Google Cloud console, for example for development or debugging. Learn more about when this might be recommended later on this page.

Finding your API keys

You can view and manage all your project's API keys in the APIs & Services > Credentials panel in the Google Cloud console.

You can also find which API key is automatically matched to a Firebase App in the following places. By default, all of your project's Firebase Apps for the same platform (Apple vs Android vs Web) will use the same API key.

  • Firebase Apple Apps — Find an app's auto-matched API key in the Firebase config file, GoogleService-Info.plist, in the API_KEY field.

  • Firebase Android Apps — Find an app's auto-matched API key in the Firebase config file, google-services.json, in the current_key field.

  • Firebase Web Apps — Find an app's auto-matched API key in the Firebase config object, in the apiKey field.

Using an API key

API keys are used to identify your Firebase project when interacting with Firebase/Google services. Specifically, they're used to associate API requests with your project for quota and billing. They're also useful for accessing public data.

For example, you can explicitly use an API key by passing its value into a REST API call as a query parameter. This example shows how you might make a request to the Dynamic Links link shortener API:

POST https://firebasedynamiclinks.googleapis.com/v1/shortLinks?key=API_KEY

When your app makes a call to a Firebase API, your app will automatically look in the Firebase config file/object for your project's API key. You can, however, set your API keys using a different mechanism, including environment variables.

Apply restrictions to API keys (recommended)

Although it's not necessary to treat an API key for Firebase services as a secret, there are some specific cases (see below) in which you might want to take additional measures to protect your project from misuse of the API key.

Tighten quota if you use password-based Authentication

If you use password-based Firebase Authentication and someone gets hold of your API key, they will not be able to access any of your Firebase project's database or Cloud Storage data as long as this data is protected by Firebase Security Rules. They could, however, use your API key to access Firebase's authentication endpoints and make authentication requests against your project.

To mitigate against the possibility that someone might misuse an API key to attempt a brute force attack, you can tighten the default quota of the identitytoolkit.googleapis.com endpoints to reflect the normal traffic expectations of your app. Be aware that if you tighten this quota and your app suddenly gains users, you might get sign-in errors until you increase the quota. You can change your project's API quotas in the Google Cloud console.

Use separate, restricted API keys for specific types of APIs

Although API keys used for Firebase services do not generally need to be treated as secret, you should take some extra precautions with API keys used to grant access to Google Cloud APIs that you've manually enabled.

If you use a Google Cloud API (on any platform) that is not automatically enabled by Firebase (meaning you enabled it yourself), you should consider creating separate, restricted API keys for use with those APIs. This is particularly important if the API is for a billable Google Cloud service.

For example, if you use Firebase ML's Cloud Vision APIs on iOS, you should create separate API keys that you use only for accessing the Cloud Vision APIs.

By using separate, restricted API keys for non-Firebase APIs, you can rotate or replace the keys when necessary and add additional restrictions to the API keys without disrupting your use of Firebase services.

Use environment-specific API keys (recommended)

If you set up different Firebase projects for different environments, such as staging and production, it's important that each app instance interacts with its corresponding Firebase project. For example, your staging app instance should never talk to your production Firebase project. This also means that your staging app needs to use API keys associated with your staging Firebase project.

To reduce problems promoting code changes from development to staging to production, instead of including API keys in the code itself, either set them as environment variables or include them in a configuration file.

Note that if you're using the Firebase Local Emulator Suite for development along with Firebase ML, you must create and use a debug-only API key. Instructions for creating that kind of key are found in the Firebase ML docs.

FAQs