AI-coded apps

    Is it Safe to Put Firebase Config in React Native?

    A React Native app safely including the public Firebase config while Firestore Security Rules protect the data and the Admin SDK key stays server-side.

    Yes, it is safe to put your Firebase config, including the apiKey, in a React Native app, because that config is an identifier for your Firebase project, not a secret credential. Firebase is designed for the config to live in client apps, and your data is protected not by hiding the config but by Firebase Security Rules, Authentication, and App Check. The key distinction is that the Web API key in your config is public by design, while a service account or Admin SDK private key is a real secret that must never ship in the app. So include the config, lock down your Security Rules, and keep the true secrets on your server.

    Short answer

    The Firebase config, apiKey included, is safe in a React Native app because it identifies your project rather than authorizing access. Per Firebase's API keys documentation, these keys are not secrets and are meant to be included in client code, with access controlled elsewhere. Per Firebase's Security Rules, your rules decide who can read and write your data, so they, along with Authentication and App Check, are your real protection. What must never appear in the app is a service account or Admin SDK private key, which bypasses rules and grants full access. Include the config, write strict rules, and keep secrets server-side.

    Is it safe? Why the config is public by design

    It is safe, and the reason is that the Firebase config is not a secret to begin with. The values in your config, the apiKey, project ID, app ID, and the various domain and sender fields, together identify which Firebase project your app talks to. They are analogous to a public address, not a password, so exposing them tells an observer which project you use but does not, by itself, grant them any access to your data. Firebase expects this config to be present in client apps, including web and React Native.

    This surprises people because one of the fields is called apiKey, which sounds like a secret. In Firebase, that Web API key is an identifier used to route your app's requests to the right project, and Firebase's own documentation states it does not need to be treated as a secret. Security is enforced by other mechanisms, not by keeping the config hidden. So the correct mental model is that the config being visible is expected and fine, and your effort belongs on the controls that actually decide who can do what.

    API keys versus secret keys in Firebase

    The distinction that resolves this question is between the client API key and true server secrets. The Firebase Web API key in your app config is a client identifier: safe to include, not a credential that grants privileges on its own, and governed by your Security Rules and other controls. Including it in React Native is expected, not a mistake, and it is the same value across every install of your app.

    A secret key in the Firebase world is something entirely different: a service account credential, typically the Admin SDK private key JSON, which authenticates privileged server-side access and bypasses your Security Rules. That key must live only on a server you control and must never be bundled into your app, committed to your repository, or exposed, because anyone who obtains it has full administrative access to your project's data. So when you ask whether Firebase keys are safe in the client, the answer depends entirely on which key: the client config apiKey is safe, and the service account key is a serious secret that never ships.

    Security Rules: what actually protects your data

    Because the config is public, Firebase Security Rules are what actually protect your data, and getting them right is the real work. Rules on Cloud Firestore, the Realtime Database, and Cloud Storage decide, per request, who can read or write which data, evaluated on Firebase's servers rather than in your app. With strict rules, even though anyone can see your config and send requests to your project, they can only access the data your rules permit, which is what makes the public config safe.

    The common failure is not an exposed config but weak rules. A project left in test mode, or with rules that allow reads and writes to anyone, exposes all its data regardless of how well the config is hidden, because the rules are the gate and the gate is open. Write rules that deny by default and grant access based on Firebase Authentication, so that users can only reach their own data, and test them. If your Firebase data has ever been publicly readable, the fix is your rules, not concealing the config.

    App Check and API key restrictions

    Beyond rules, two defense-in-depth measures harden a Firebase app further. App Check helps ensure that requests to your Firebase resources come from your genuine, untampered app rather than from a script or a cloned client, by attesting the app's authenticity, which reduces abuse of your backend even though your config is public. It is worth enabling for a production app, since it raises the bar against automated misuse.

    You can also restrict the Web API key in the Google Cloud console, limiting which apps and which APIs may use it, so that even though the key is visible, its use is scoped. These measures do not replace Security Rules, which remain the core protection for your data, but they add layers that reduce abuse and misuse. Think of the arrangement as rules and Authentication deciding who can access data, App Check confirming the request comes from your app, and key restrictions narrowing where the key can be used, together forming a defense-in-depth posture around a config that is public by design.

    The real mistake to avoid

    The genuine mistakes here are not putting the config in the app, but two others. The first is relying on hidden config as your security, then leaving Security Rules weak, which exposes your data no matter how the config is stored. If you took away one thing, it would be that hiding the config protects nothing and correct rules protect everything, so invest accordingly.

    The second, more serious mistake is shipping a true secret in the app, above all a service account or Admin SDK key. That does grant full access, and unlike the config it is genuinely dangerous in the client, so if one has ended up in your React Native app, treat it as compromised: rotate or delete the service account key in the Google Cloud console immediately, remove it from the app, and move any privileged server operations to an actual backend. Confusing the safe config key with a real secret, in either direction, is the error to avoid, and knowing which is which is the whole answer.

    Safe versus unsafe Firebase credentials

    Sorting your Firebase credentials makes clear what may ship. The table below compares them.

    CredentialShip it in the app?What controls access
    Firebase Web config, including apiKeyYes, safe by designSecurity Rules, Authentication, App Check
    Service account or Admin SDK keyNeverIt bypasses rules; server-side only
    Custom third-party API secretNeverKeep behind a backend proxy
    Your Firestore or database dataReached with the configSecurity Rules plus Authentication

    Read the table by whether a credential grants privilege on its own: the config does not and is safe, while the service account key does and must never ship.

    Firebase security checklist

    Working through these steps secures a React Native Firebase app correctly. The checklist below covers them.

    StepActionDone?
    Include the configThe Web config in the app is fine[ ]
    Never ship the service accountKeep the Admin SDK key server-side[ ]
    Write strict Security RulesDeny by default, scope to the signed-in user[ ]
    Leave test modeNo allow-all rules in production[ ]
    Enable App CheckAttest that requests come from your app[ ]
    Restrict the API keyLimit its allowed apps and APIs[ ]

    The step that carries the most weight is writing strict Security Rules, because they, not the visibility of your config, are what actually decide who can access your data.

    Audit your React Native build

    Because the real risk is a genuine secret slipping into the app rather than the config being visible, checking what actually ships is worthwhile, especially when an AI code generator or a copied snippet may have added an Admin SDK key. Knowing whether a true secret is present, and how your data is handled, is the input to a correct Firebase setup.

    A scanner like PTKD.com analyzes your React Native build and reports issues such as leaked keys and secrets, insecure data storage, and over-broad permissions by severity, mapped to OWASP MASVS, so a service account key that wrongly ended up in the app is flagged, unlike the harmless config. To be clear about the boundary: PTKD does not write your Security Rules or configure App Check. It finds a real secret in the build so you know what to rotate and remove, while your rules do the data protection.

    What to take away

    • It is safe to put the Firebase config, including the apiKey, in a React Native app, because the config identifies your project rather than authorizing access.
    • The Web API key in your config is a public identifier, while a service account or Admin SDK key is a real secret that must never ship in the app.
    • Firebase Security Rules, with Authentication, are what actually protect your data, so weak or test-mode rules, not a visible config, are the real exposure.
    • Add App Check and API key restrictions as defense in depth, but rely on Security Rules as the core protection.
    • Audit your build with a tool like PTKD.com to catch a service account key that slipped into the app, and fix data exposure in your rules.
    • #firebase
    • #react native
    • #security rules
    • #api keys
    • #app check

    Frequently asked questions

    Is it safe to put the Firebase config in React Native?
    Yes. The Firebase config, including the apiKey, is an identifier for your project, not a secret, and Firebase is designed for it to be included in client apps. Exposing it tells an observer which project you use but does not grant access to your data on its own. Your protection comes from Firebase Security Rules, Authentication, and App Check, not from hiding the config, so including it is expected rather than a mistake.
    Is the Firebase apiKey a secret?
    No. Despite the name, the Firebase Web API key in your config is a client identifier used to route your app's requests to the right project, and Firebase's documentation states it does not need to be treated as a secret. It is the same value across every install of your app. The secret in the Firebase world is a service account or Admin SDK private key, which is entirely different and must never ship in the app.
    What is the difference between the API key and a secret key?
    The client API key in your config is a safe, public identifier governed by your Security Rules and other controls. A secret key is a service account credential, typically the Admin SDK private key JSON, which authenticates privileged server-side access and bypasses your Security Rules. That must live only on a server you control, because anyone who obtains it has full administrative access to your data. The config apiKey is safe; the service account key never ships.
    How do Security Rules protect my Firebase data?
    Rules on Cloud Firestore, the Realtime Database, and Cloud Storage decide per request who can read or write which data, evaluated on Firebase's servers. With strict rules, even though anyone can see your config and send requests, they can only access what your rules permit, which is what makes the public config safe. Write rules that deny by default and grant access based on Firebase Authentication, and never leave a project in test mode with allow-all rules.
    What is the most dangerous Firebase mistake?
    Two things, neither of which is the visible config. First, relying on hidden config while leaving Security Rules weak, which exposes your data no matter how the config is stored. Second, and more serious, shipping a service account or Admin SDK key in the app, which does grant full access. If one has ended up in your React Native app, rotate or delete it in the Google Cloud console immediately, remove it, and move privileged operations to a backend.
    How do I confirm no real secret shipped in my app?
    Audit the build, since the danger is a genuine secret slipping in, not the harmless config, especially when an AI code generator or a copied snippet added an Admin SDK key. A scanner like PTKD.com (https://ptkd.com) analyzes your React Native build and reports leaked keys and secrets, insecure storage, and over-broad permissions by severity, mapped to OWASP MASVS, flagging a service account key that wrongly shipped. It does not write your Security Rules, but it finds a real secret to rotate and remove.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free