Should the GCM API Key kept secret?

Question

As per the documentation:

Do not include the API key anywhere in your client code.

And it is the case in our current Android app -- the API Key is nowhere included in the code. However, for the new version 3.0.0 of com.google.gms:google-services library, it started throwing error Missing api_key/current_key without it, as discussed here: Missing api_key/current key with Google Services 3.0.0.

Also, Google's config generator https://developers.google.com/mobile/add?platform=android&cntapi=gcm includes the API Key in the google-services.json file.

Is it supposed to be kept secret? Or is it safe to include it in the client app?

Answer 1

The google-services.json file represents the configuration for all of the services available within Firebase. There are some services that require and "Android" API key. These are the API keys that you will find in the google-services.json file. Your app may or may not use these API keys depending on the Firebase APIs your app is using.

FCM has a "Server" API key that is used to send messages, this API key is NOT the key included in the google-services.json file. The server API key should never be included in your application. The google services plugin however does look for those Android API keys at build time and that could be the reason for your error, it is not because your FCM server API key is missing.

Answer 2

Answering my own question.

If I create a new test project on Firebase (https://console.firebase.google.com), it also includes the API Key into

• google-services.json for Android app,
• GoogleService-Info.plist for iOS app,
• for Web App it even recommends to include the API key into my HTML.

Taken that HTML is definitely public, I'm pretty convinced now that it's not a secret.