Learn about using and managing API keys for Firebase

An API key is a unique string that's used to route requests to your Firebase project when interacting with Firebase and Google services. This page describes basic information about API keys as well as best practices for using and managing API keys with Firebase apps.

If you've received an email from Google Cloud about a "publicly accessible Google API key for your Google Cloud project" and the API key listed in the email is your Firebase API key, then make sure that the API key meets the following requirements to be safe to include in your code or configuration files. You can verify the following in the APIs & Services > Credentials panel in the Google Cloud console.

  • It's the API key that you use for your Firebase app and only for Firebase services. These keys are usually called Browser key (auto created by Firebase) or Android key (auto created by Firebase) or iOS key (auto created by Firebase).
  • It has all the required Firebase-related APIs included in the key's "API restrictions" allowlist.
  • It does not have any other APIs in its "API restrictions" allowlist. In particular, the list should not have Generative Language API.

Also, make sure that you're using Firebase Security Rules and App Check as recommended for the Firebase products that you use.

You can learn details about API keys for Firebase and find a list of FAQs in Learn about using and managing API keys for Firebase


The rest of this page provides detailed information about API keys for Firebase, as well as a list of FAQs about these keys.

General information about API keys and Firebase

API keys for Firebase are different from typical API keys

Unlike how API keys are typically used, API keys for Firebase services are not used to control access to backend resources; that can only be done with Firebase Security Rules (to control which end users can access resources) and Firebase App Check (to control which apps can access resources).

Usually, you need to fastidiously guard API keys (for example, by using a vault service or setting the keys as environment variables); however, API keys for Firebase services are OK to include in code or checked-in config files.

Although API keys for Firebase services are safe to include in code, you should review and apply appropriate restrictions and limits to them.

Creating API keys

A Firebase project can have many API keys, but each API key can only be associated with a single Firebase project.

API keys automatically created by Firebase for your Firebase Apps

Firebase automatically creates API keys for your project when you do any of the following:

  • Create a Firebase project > Browser key auto-created
  • Create a Firebase Apple App > iOS key auto-created
  • Create a Firebase Android App > Android key auto-created

You can also create your own API keys in the Google Cloud console, for example for development or debugging. Learn more about when this might be recommended later on this page.

Finding your API keys

You can view and manage all your project's API keys in the APIs & Services > Credentials panel in the Google Cloud console.

You can also find which API key is automatically matched to a Firebase App in the following places. By default, all of your project's Firebase Apps for the same platform (Apple vs Android vs Web) will use the same API key.

  • Firebase Apple Apps — Find the auto-matched API key in the Firebase config file, GoogleService-Info.plist, in the API_KEY field.

  • Firebase Android Apps — Find the auto-matched API key in the Firebase config file, google-services.json, in the current_key field.

  • Firebase Web Apps — Find the auto-matched API key in the Firebase config object, in the apiKey field.

Using an API key

API keys for Firebase are used to identify your Firebase project when interacting with Firebase or Google services. Specifically, they're used to associate API requests with your project for quota and billing. They're also useful for accessing public data.

For the vast majority of developers and use cases, you don't interact with these API keys directly. Instead, when your app makes a call to a Firebase API that requires an API key provided by the mobile or web client, your app will automatically look for an API key in your app's Firebase configuration. This config was added to your app's codebase when you connected your app to Firebase.

Note that you can provide your app's API key within your app using a different mechanism, like Firebase options or using environment variables.

Also, for a few of the REST APIs for Firebase services, you might need to explicitly pass the value of the API key into the call as a query parameter. This example shows how you might make a request using the Firebase Authentication API:

https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=API_KEY

Review and apply appropriate restrictions to API keys (recommended)

Although it's not necessary to treat an API key for Firebase services as a secret, you should review and apply restrictions and limits as described in this section.

Review the APIs automatically added to the allowlist for your Firebase API keys

When Firebase creates an API key in your project, we automatically add "API restrictions" to that key. The APIs added to this allowlist are Firebase-related APIs that require the client to provide an API key along with the call. Note that most APIs required for use of Firebase services don't actually need to be on the allowlist for your API keys.

Since Firebase adds the necessary APIs for all Firebase services, the allowlist for an API key may include APIs for products that you do not use. You can remove APIs from the allowlist, but you must be very careful to not remove the APIs required for Firebase and the Firebase services that you use (see the list of the Firebase-related APIs that need to be on the allowlist for each service / product). Otherwise, you will get errors when making calls to Firebase services.

Tighten quota if you use password-based Authentication

If you use password-based Firebase Authentication and someone gets hold of your API key, they will not be able to access any of your Firebase project's database or Cloud Storage data as long as this data is protected by Firebase Security Rules. They could, however, use your API key to access Firebase's authentication endpoints and make authentication requests against your project.

To mitigate against the possibility that someone might misuse an API key to attempt a brute force attack, you can tighten the default quota of the identitytoolkit.googleapis.com endpoints to reflect the normal traffic expectations of your app. Be aware that if you tighten this quota and your app suddenly gains users, you might get sign-in errors until you increase the quota. You can change your project's API quotas in the Google Cloud console.

Use separate, restricted API keys for any non-Firebase service

Although API keys used for Firebase services do not generally need to be treated as secret, you should take some extra precautions with API keys that you use with other Google Cloud APIs.

If you use a Google Cloud API (on any platform) that's not for a Firebase service / product, we strongly recommend creating separate, restricted API keys for use with those APIs. This is particularly important if the API is for a billable Google Cloud service.

By using separate, restricted API keys for non-Firebase APIs, you can rotate or replace the keys when necessary and add additional restrictions to the API keys without disrupting your use of Firebase services.

These instructions describe how to create a separate, restricted API key for a fake API called Super Service API.

Step 1: Configure your existing API keys to disallow access to Super Service API

  1. Open the Credentials page of the Google Cloud console. When prompted, select your project.

  2. For each existing API key in the list, open the editing view.

  3. In the API restrictions section, select Restrict key, then add to the list all of the APIs to which you want the API key to have access. Make sure to not include the API for which you're creating a separate API key (in this example, Super Service API).

    When you configure an API key's API restrictions, you are explicitly declaring the APIs to which the key has access. By default, when the API restrictions section has Don't restrict key selected, an API key can be used to access any API that is enabled for the project.

Now, your existing API keys will not grant access to Super Service API, but each key will continue to work for any APIs that you added to its API restrictions list.

Step 2: Create and use a new API key for access to Super Service API

  1. Return to the Credentials page. Be sure your Firebase project is still selected.

  2. Click Create credentials > API key. Take note of the new API key, then click Restrict key.

  3. In the API restrictions section, select Restrict key, then add to the list only the Super Service API.

    This new API key grants access only to the Super Service API.

  4. Configure your app and services to use the new API key.