Hello Firebase community. A few days ago, we received an email stating that our Google API key, the one stored in google-services.json, was found inside a Github project that wasn’t ours. This page has since been removed, but since the key was exposed outside of our app, we’d like to know what’s the best course of action to avoid any related issues. I know it’s technically a public key, but we’re still concerned and want to replace it.
What’s the best way to update/replace the key with a new one, and what options can you recommend to prevent this from happening in the future?
This is an Android project.
Thanks in advance.
1 Like
I assume you mean the Firebase API Key, this key is meant to be used in the client and is okay to commit to source control. (Unfortunately, it’s poorly named as an API Key which causes confusion. In hindsight, a better name might have been App Id)
That said, be sure to review all of the guidance on this page: Firebase security checklist and Learn about using and managing API keys for Firebase | Firebase Documentation
1 Like