API key - Do I have to remove from my code? (Firebase rtdb)

D_M · March 17, 2026, 11:20am

Hi

I don't know if it is better (to avoid haker) to remove API key from code. Any suggestions?

TIMAI2 · March 17, 2026, 11:24am

API key for what ?

D_M · March 17, 2026, 11:28am

Google sheet

TIMAI2 · March 17, 2026, 11:29am

and which API key is that ?

How are you using google sheets in your app ?

TIMAI2 · March 17, 2026, 11:32am

Short answer, it is up to you which connection information you store in the app, or bring into the app on initialisation. Will depend on your required level of security.

D_M · March 18, 2026, 5:49am

Sorry, but I gave you wrong info @TIMAI2

API key is related to Firebase Realtime database. Do you think I have to hide it in my code?

TIMAI2 · March 18, 2026, 7:15am

Does your firebase rtdb have secure rules? It should. If it does, then no need to worry about api key.

From a search:

Hide Firebase RTDB API Key

Firebase API keys are designed to be public and are safe to expose in client-side code, including for Realtime Database (RTDB) projects. The key is not a secret but an identifier for your Firebase project, so hiding it from the frontend is not necessary or practical.

Why it's safe: Firebase security is enforced through security rules and authentication, not by hiding API keys. Even if someone accesses your key, they cannot read or write data without proper authentication and authorization.

Best practices:

Restrict your API key to specific domains using API key restrictions in the Google Cloud Console (under APIs & Services > Credentials).

Set quota limits on your API key to prevent abuse.

Use Firebase Security Rules to control access to your RTDB data.

Enable App Check to further protect against unauthorized access.

What you cannot do: You cannot hide the Firebase API key from the client side, as it’s required to initialize the Firebase SDK in the browser. Any attempt to hide it (e.g., via .env files or backend proxies) only adds complexity without real security benefit for the API key itself.

For third-party API keys: If you’re using external APIs (e.g., OpenAI, Stripe), those keys should never be exposed in the frontend. Instead, call them via Firebase Cloud Functions or a backend service, where the keys are stored securely in environment variables.

Bottom line: The Firebase API key is not a secret. Focus on securing your data with rules, auth, and App Check, not by hiding the key.

D_M · March 18, 2026, 8:53am

Ok, I have rules, so I can avoid to hide it

Thank you so much!!