Firebase Client JS SDK - Where to save private keys?

Question

Until now, I was saving my Firebase project private keys in the app.json of my React Native app. Like this:

"web": {
  "config": {
    "firebase": {
      "apiKey": "x",
      "authDomain": "x.firebaseapp.com",
      "databaseUrl": "https://x.firebaseio.com",
      "projectId": "x",
      "storageBucket": "x.appspot.com",
      "messagingSenderId": "x",
      ...
    }
  }
},

But looking at the docs, I have seen the following:

WARNING: Do not store any secrets (such as private API keys) in your React app!

Environment variables are embedded into the build, meaning anyone can view them by inspecting your app's files.

So, if I shouldn't store secrets in the front-end, how do I use the Firebase client sdk?

score 2 · Accepted Answer · answered May 17 '21 at 10:45

The API key from the config is not a secret key, it's a public key which is used as an identifier and part of the encryption process - so it doesn't need to be protected.

If you would create a new or use an existing service account with potentially critical access to the backend infrastructure, the private key from that account should never be included in your frontend code.

Instead, you would create i.e. a firebase cloud function where you can use the secret without exposing it to the outside world.

Firebase Client JS SDK - Where to save private keys?

1 Answers1