Understanding the Security of Firebase App Initialization

Question

I'm trying to create an expo app without the use of a server as a middleman between the front end and firestore. Via the firestore quickstart ref and expo firestore quickstart (see bottom), it says to initialize a cloud firestore app by passing in an API key to the following function:

// Initialize Cloud Firestore through Firebase
firebase.initializeApp({
  apiKey: '### FIREBASE API KEY ###',
  authDomain: '### FIREBASE AUTH DOMAIN ###',
  projectId: '### CLOUD FIRESTORE PROJECT ID ###'
});

var db = firebase.firestore();

However this javascript code will be run on the client side. Doesn't this expose your API key to a user?

score 1 · Accepted Answer · answered Mar 22 '20 at 19:41

From google firebase docs:

The content is considered public, including your platform-specific ID (entered in the Firebase console setup workflow) and values that are specific to your Firebase project, like your API Key, Realtime Database URL, and Storage bucket name. Given this, use security rules to protect your data and files

You can read more here

Understanding the Security of Firebase App Initialization

1 Answers1