As per this answer, it is not a security risk to publicly expose your firestore api key, however, as later answers to that question pointed out, people can make excessive requests with it and drain your quota. Does firestore have any features to prevent excessive requests? If not, why do the docs show examples such as this that tell you to put all your config, including apiKey, in client side JavaScript?
While the easiest way to use Firestore is to use one of the native client libraries, there are some situations when it is useful to call the REST API directly. The REST API can be helpful for the following use cases:
You can, however, set your API keys using a different mechanism, including environment variables. Although it's not necessary to treat an API key for Firebase services as a secret, there are some specific cases (see below) in which you might want to take additional measures to protect your project from misuse of the API key.
When a Cloud Firestore request succeeds, the Cloud Firestore API returns an HTTP 200 OK status code and the requested data. When a request fails, the Cloud Firestore API returns an HTTP 4xx or 5xx status code and a response with information about the error. The following table lists recommended actions for each error code.
For requests authenticated with a Firebase ID token and for unauthenticated requests, Firestore uses your Firestore Security Rules to determine if a request is authorized. You can generate an access token by using a service account with a Google API Client Library or by following the steps in Using OAuth 2.0 for Server to Server Applications.
Firebase monitors for abuse. If you think your database is seeing undetected abuse, reach out to Firebase support for personalized help in troubleshooting.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With