Is it dangerous to expose my Firebase API KEY in Web project with the Javascript SDK? How could I protect it?


This is the code that indicates Firebase to configure a Web App that can read Real Time Database data with the Javascript SDK:

  // Set the configuration for your app
  // TODO: Replace with your project's config object
  var config = {
    apiKey: "apiKey",
    authDomain: "",
    databaseURL: "",
    storageBucket: ""

  // Get a reference to the database service
  var database = firebase.database();

I would like to make an implementation of tag on a website with shared hosting. I have tested the code with my data and it works.

But as you can see, the APIKEY of the project and the URL of the database would be exposed on the client .

  • Is this dangerous? What possible dangers could there be?
  • Is there any way to avoid it? (I would have to use the Javascript SDK, I do not know how to use Node or similar and I want to show the data in a normal web page that already exists in Wordpress, I could do it with PHP, but I did not find anything about PHP in Firebase).
asked by A. Cedano 12.02.2018 в 14:09

1 answer


The danger you can have is that if your API is visible, anyone could copy it and use it to make requests and reach your limit (which would imply that the requests would stop working or an invoice would be passed to you, depending on the type of service you have).

If it is a private project, you can (must) include in the contract that all the code (including API keys) belongs to you and the client can not use it. Although that is not so simple when it is an application open to the Internet.

To avoid that key theft, many APIs (such as Google or Facebook) allow you to restrict access to a series of domains. Then if you try to access the API outside the indicated host, the request will be rejected.

In Google (the case of Firebase that you indicate) you can restrict the HTTP referrers so that only requests are admitted from certain domains. The steps to follow to create a restricted API would be the following:

  • Go to the Google Developer Console .
  • Click on Credentials
  • Optional: If you do not have a project, you must create one.
  • Click on the "Create Credentials" button and select "API Key"
  • Click on "Restrict Password"
  • In the menu that appears on the following page, select the option "HTTP Referrers":
  • In the text box below, enter the domains you want to have access to your API key (you can use "regular expressions" to include multiple domains / subdomains)
  • Click on Save
  • Now, only the domains specified in the list will have access to your API key.

    You can leave the text box empty to have no restrictions while you are developing and testing your application, but it is important to add a list of domains before moving the application to production.

    answered by 12.02.2018 / 15:36