I have build an android app to send the user to user notification using Firebase Cloud Messaging for that I have included FCM Server Key in client code. Recently, I came to know about this that it is a security risk, that there could be malicious attack and the attacker can send the messages using that FCM server Key(if he comes to know about it). I am looking for the alternative for the same, can you guide me ?
I am using this tutorial Notification Tutorial
I agree that including the key in your client is a security risk!
One option you have is to send the notification via a cloud function. The cloud function would have the responsibility of all the interaction with FCM -- thus you keep the key secret. At the same time the function is able to do any necessary validation that the user is allowed to send the notification (e.g. authentication, rate limiting, formatting the message properly, etc).
Then have your app call the cloud function instead of trying to call FCM itself directly.
