5

I'm developing an email verification and password reset using email via Firebase. All of the functions are working very well. However, I have one concern.

When I send an email with 'Action URL(Link)', apiKey is exposed in the URL, even though an example url is written like "https://example.com/acctmgmt?mode=action&oobCode=code". The actual URL which arrives to the email is like this "https://example.com/acctmgmt?mode=action&oobCode=code&apiKey=key".

I have searched and understand the exposure of apiKey is not a huge problem, if I set referrers in Google Console, but I think it is not ideal to expose apiKey.

Is it basically ok to be exposed in url or not? If not, how could I hide it in the URL?

P.S I'm sending email from Android.

M__
  • 614
  • 2
  • 10
  • 25
forceson
  • 85
  • 8

1 Answers1

5

That API key string is public information the moment you publish your app. There is nothing private about it. You can think of it less like a private API key and more like a public unique identifier for your project. Any API calls from any source (both inside and outside your app) need to know how to identify your project, and that's how they do it. Without that, there is no way that the verification email can provide a link that actually verifies the user for your project.

If you are concerned about people having access to your project with this key, you need to look into Firebase security rules. That's the only way of preventing undesired access to the resources in your project.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441