| > Back then, they did not automatically restrict those keys to only Firebase-related APIs. If that is the case, why is this also in the 2022 link? The part about scoping links to the restrictions documentation. "Understand API keys API keys for Firebase services are not secret Firebase uses API keys only to identify your app's Firebase project to Firebase services, and not to control access to database or Cloud Storage data, which is done using Firebase Security Rules. For this reason, you do not need to treat API keys for Firebase services as secrets, and you can safely embed them in client code. Learn more about API keys for Firebase. Set up API key scoping As an additional deterrent against an attacker attempting to use your API key to spoof requests, you can create API keys scoped to your app clients. Keep FCM server keys secret Unlike API keys for Firebase services, FCM server keys (used by the legacy FCM HTTP API) are sensitive and must be kept secret. Keep service account keys secret Also unlike API keys for Firebase services, service account private keys (used by the Admin SDK) are sensitive and must be kept secret.
" |