Step-by-Step Guide
6 steps

How to Fix API Key Exposure in Firebase Studio Apps

Firebase Studio apps often trigger API key warnings, but not all Firebase keys are secrets. The Firebase API key is designed to be public. This guide helps you distinguish between safe public keys and truly exposed secrets, then fix any real issues.

Scan Your App Now

Find security issues automatically before attackers do.

Follow These Steps

1

Identify which keys are actually exposed

Firebase API keys (AIzaSy...) are designed to be public. Focus on finding third-party secrets like OpenAI keys, Stripe secret keys, or database passwords.

Code Example
# These are NOT secrets (safe in frontend):
# AIzaSy... (Firebase API key)
# eyJhbGci... (Supabase anon key)

# These ARE secrets (must be server-side only):
grep -rn "sk-proj\|sk-live\|sk_live\|OPENAI\|STRIPE.*SECRET\|DATABASE_URL" src/ --include="*.ts" --include="*.js"
2

Restrict your Firebase API key in Google Cloud Console

While the Firebase API key is not a secret, restricting it prevents quota abuse.

Code Example
// Google Cloud Console > APIs & Services > Credentials
// 1. Click your Firebase API key
// 2. Application restrictions: HTTP referrers
// 3. Add: yourdomain.com/*
// 4. API restrictions: Only Firebase APIs you use
// 5. Save
3

Move third-party secrets to Cloud Function environment

Any non-Firebase secret keys must be stored in Cloud Functions configuration or Secret Manager.

Code Example
# Using Firebase Functions config
firebase functions:config:set openai.key="sk-proj-your-new-key"

# Or using Secret Manager (recommended)
firebase functions:secrets:set OPENAI_API_KEY

# Access in Cloud Function
export const generateText = onCall(async (request) => {
  const key = process.env.OPENAI_API_KEY
  // ... use key
})
4

Create Cloud Functions for third-party API calls

Move any frontend code that calls third-party APIs to Cloud Functions.

Code Example
import { onCall, HttpsError } from 'firebase-functions/v2/https'
import { defineSecret } from 'firebase-functions/params'

const openaiKey = defineSecret('OPENAI_API_KEY')

export const chat = onCall({ secrets: [openaiKey] }, async (request) => {
  if (!request.auth) throw new HttpsError('unauthenticated', 'Login required')
  
  const response = await fetch('https://api.openai.com/v1/chat/completions', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${openaiKey.value()}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify(request.data)
  })
  return response.json()
})
5

Update frontend to call Cloud Functions

Replace direct API calls with Firebase Cloud Function invocations.

Code Example
import { getFunctions, httpsCallable } from 'firebase/functions'

const functions = getFunctions()
const chat = httpsCallable(functions, 'chat')

const result = await chat({ model: 'gpt-4o', messages: [...] })
6

Deploy and verify

Deploy your Cloud Functions and scan your app with VAS to confirm all secrets are properly secured.

Code Example
firebase deploy --only functions
# Then run VAS scan on your deployed app

What You'll Achieve

Firebase API keys are properly restricted, third-party secrets are stored in Cloud Function environment, and all sensitive API calls go through authenticated Cloud Functions. Your Firebase Studio app properly separates public and secret credentials.

Common Mistakes to Avoid

Mistake

Trying to hide the Firebase API key

Fix

The Firebase API key (AIzaSy...) is designed to be public. Security comes from Security Rules, not key secrecy. Focus on restricting it in Google Cloud Console instead.

Mistake

Storing secrets in Firestore or Realtime Database

Fix

Database values are accessible based on Security Rules. Store secrets in Cloud Functions environment or Secret Manager, not in the database.

Mistake

Using functions.config() in v2 Cloud Functions

Fix

functions.config() is deprecated in Firebase Functions v2. Use defineSecret() from firebase-functions/params for secret management.

Frequently Asked Questions

Is my Firebase API key (AIzaSy...) exposed?

Firebase API keys are designed to be in frontend code. They are not secrets. Security is enforced by Firebase Security Rules. However, you should restrict the key in Google Cloud Console to prevent quota abuse.

What about password-like strings in my Firebase bundle?

Strings like PASSWORD:"wrong-password" in minified JS are Firebase Auth SDK error code mappings, not exposed passwords. These are normal and not a security issue.

Should I use Secret Manager or functions.config()?

For Firebase Functions v2, use defineSecret() with Secret Manager. The older functions.config() is deprecated and does not work with v2 functions.

Related Guides

Secure Your Firebase Studio AppAdd Security Rules to FirebaseDeploy Firebase SecurelyAPI Key Rotation Guide

Ready to Secure Your App?

VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.

Start Security Scan