An API key is a unique string that's used to route requests to your Firebaseproject when interacting with Firebase and Google services. This page describesbasic information about API keys as well as best practices for using andmanaging API keys with Firebase apps.
General information about API keys and Firebase
API keys for Firebase are different from typical API keys
Unlike how API keys are typically used, API keys for Firebase services arenot used to control access to backend resources; that can only be donewith Firebase Security Rules (to control which end users can access resources) andFirebase App Check (to control which apps can access resources).
Usually, you need to fastidiously guard API keys (for example,by using a vault service or setting the keys as environment variables); however,API keys for Firebase services are OK to include in code or checked-in configfiles.
Although API keys for Firebase services are safe to include in code, you shouldreview and apply appropriate restrictions and limits to them.
Creating API keys
A Firebase project can have many API keys, but each API key can only beassociated with a single Firebase project.
Firebase automatically creates API keys for your project when you do any of thefollowing:
- Create a Firebase project >
Browser key
auto-created - Create a Firebase Apple App >
iOS key
auto-created - Create a Firebase Android App >
Android key
auto-created
You can also create your own API keys in theGoogle Cloud console,for example for development or debugging. Learn more aboutwhen this might be recommended later on this page.
Finding your API keys
You can view and manage all your project's API keys in theAPIs & Services > Credentials panel in the Google Cloud console.
You can also find which API key is automatically matched to aFirebase App in the following places. Bydefault, all of your project's Firebase Apps for the same platform (Apple vsAndroid vs Web) will use the same API key.
Firebase Apple Apps — Find the auto-matched API key in the Firebaseconfig file,
, in theGoogleService-Info.plist API_KEY
field.Firebase Android Apps — Find the auto-matched API key in theFirebase config file,
, in thegoogle-services.json current_key
field.Firebase Web Apps — Find the auto-matched API key in the Firebaseconfig object, in the
apiKey
field.
Using an API key
API keys are used to identify your Firebase project when interacting withFirebase/Google services. Specifically, they're used to associate API requestswith your project for quota and billing. They're also useful for accessingpublic data.
For example, you can explicitly use an API key by passing its value into a RESTAPI call as a query parameter. This example shows how you might make a requestto theDynamic Links link shortener API:
POST https://firebasedynamiclinks.googleapis.com/v1/shortLinks?key=API_KEY
When your app makes a call to a Firebase API that requires an API key providedby the mobile/web client, your app will automatically look in theFirebase config file/object for your project's API key. You can, however,provide API keys for your app using a different mechanism, including environmentvariables.
Review and apply appropriate restrictions to API keys (recommended)
Although it's not necessary to treat an API key for Firebase services as asecret, you should review and apply restrictions and limits as described in thissection.
Review the APIs automatically added to the allowlist for your Firebase API keys
When Firebase creates an API key in your project, we automatically add"API restrictions" to that key. The APIs added to this allowlist are Firebase-related APIs thatrequire the client to provide an API key along with the call. Note that mostAPIs required for use of Firebase services don't actually need to be on theallowlist for your API keys.
Since Firebase adds the necessary APIs for all Firebase services, theallowlist for an API key may include APIs for products that you do not use.You can remove APIs from the allowlist, but you must be very careful to notremove the APIs required for Firebase and the Firebase services that you use(see thelist of the Firebase-related APIsthat need to be on the allowlist for each service / product). Otherwise, youwill get errors when making calls to Firebase services.
Tighten quota if you use password-based Authentication
If you use password-based Firebase Authentication and someone gets hold of your APIkey, they will not be able to access any of your Firebase project's databaseor Cloud Storage data as long as this data is protected byFirebase Security Rules. They could, however, use your API key to accessFirebase's authentication endpoints and make authentication requests againstyour project.
To mitigate against the possibility that someone might misuse an API key toattempt a brute force attack, you can tighten the default quota of theidentitytoolkit.googleapis.com
endpoints to reflect the normal trafficexpectations of your app. Be aware that if you tighten this quota and your appsuddenly gains users, you might get sign-in errors until you increase the quota.You can change your project's API quotas in theGoogle Cloud console.
Use separate, restricted API keys for any non-Firebase service
Although API keys used for Firebase services do not generally need to be treatedas secret, you should take some extra precautions with API keys that you usewith other Google Cloud APIs.
If you use a Google Cloud API (on any platform) that's not for a Firebaseservice / product, we strongly recommend creating separate, restricted API keysfor use with those APIs. This is particularly important if the API is for abillable Google Cloud service.
For example, if you use Firebase ML and the Cloud Vision APIs on iOS, youshould create separate API keys that you use onlyfor accessing the Cloud Vision APIs.
By using separate, restricted API keys for non-Firebase APIs, you can rotate orreplace the keys when necessary and add additional restrictions to the APIkeys without disrupting your use of Firebase services.
View instructions for creating API-specific keys
These instructions describe how to create a separate, restricted API key for afake API called Super Service API
.
Step 1: Configure your existing API keys to disallow access to Super Service API
Open the Credentialspage of the Google Cloud console. When prompted, select your project.
For each existing API key in the list, open the editing view.
In the API restrictions section, select Restrict key, then add to thelist all of the APIs to which you want the API key to have access. Make sureto not include the API for which you're creating a separate API key(in this example,
Super Service API
).When you configure an API key's API restrictions, you are explicitlydeclaring the APIs to which the key has access. By default, when theAPI restrictions section has Don't restrict key selected, an API keycan be used to access any API that is enabled for the project.
Now, your existing API keys will not grant access to Super Service API
, buteach key will continue to work for any APIs that you added to itsAPI restrictions list.
Step 2: Create and use a new API key for access to Super Service API
Return to the Credentialspage. Be sure your Firebase project is still selected.
Click Create credentials > API key. Take note of the new API key, thenclick Restrict key.
In the API restrictions section, select Restrict key, then add to thelist only the
Super Service API
.This new API key grants access only to the
Super Service API
.Configure your app and services to use the new API key.
Use environment-specific API keys (recommended)
If you set up different Firebase projects for different environments, such asstaging and production, it's important that each app instance interacts with itscorresponding Firebase project. For example, your staging app instance shouldnever talk to your production Firebase project. This also means that yourstaging app needs to use API keys associated with your staging Firebase project.
To reduce problems promoting code changes from development to staging toproduction, instead of including API keys in the code itself, either set them asenvironment variables or include them in a configuration file.
Note that if you're using the Firebase Local Emulator Suite for development alongwith Firebase ML, you must create and use a debug-only API key. Instructionsfor creating that kind of key are found in theFirebase ML docs.
FAQs and troubleshooting
FAQs
Are API keys for Firebase services restricted by default?
Yes, by default, all API keys that Firebase auto-provisions for use withFirebase-related APIs have"API Restrictions" applied automatically. See thelist of the Firebase-related APIsthat are on this allowlist.
The APIs added to this allowlist are those APIs called by Firebase services fromclient-code and require API keys for identification of your Firebase project orapp. Note that most APIs required for use of Firebase services don't actuallyneed to be on the allowlist for your API keys.
Since Firebase adds the necessary APIs for all Firebase services, theallowlist for an API key may include APIs for products that you do not use. Youcan remove APIs from the allowlist, but you must be very careful to not removethe APIs required for Firebase and the Firebase services that you use (see thelist of the Firebase-related APIsthat need to be on the allowlist for each service / product). Otherwise, youwill get errors when making calls to Firebase services.
You can view all your API keys and their "API restrictions" in theAPIs & Services > Credentials panel in the Google Cloud console.
Note the following about how Firebase applies these "API restrictions":
Starting in May 2024, all new API keys auto-provisioned by Firebase areautomatically restricted to thelist of the Firebase-related APIs.
During May 2024, all existing and unrestricted API keys that Firebase hadpreviously auto-provisioned are restricted to thelist of the Firebase-related APIsplus any of the project's currently enabled APIs.
Any existing and already restricted API keys that Firebase had previouslyauto-provisioned were not changed.
Any existing API keys that were not auto-provisioned by Firebase were notchanged.
How can I determine which API key is associated with my Firebase App?
You can use any of the following options to determine which API key isassociated with your Firebase App:
Firebase console
Go to settingsProject settings,and then scroll down to the Your apps card.
Select the app of interest.
Obtain the Firebase config file/object for the app of interest, and thenfind its API key:
Apple: Download the
GoogleService-Info.plist
, and then find theAPI_KEY
fieldAndroid: Download the
google-services.json
, find the config forthe app of interest (look for its package name), and then find thecurrent_key
fieldWeb: Select the Config option, and then find the
apiKey
field
Firebase CLI
Obtain the Firebase config file/object for the app of interest by runningthe following command:
firebase apps:sdkconfig PLATFORM FIREBASE_APP_ID
- PLATFORM (one of):
IOS
|ANDROID
|WEB
- FIREBASE_APP_ID: the Firebase-assigned unique identifier foryour Firebase App (find your App ID)
- PLATFORM (one of):
In the app's printed Firebase configuration, find its API key:
Apple: Find the
API_KEY
fieldAndroid: Find the config for the app of interest (look for itspackage name), and then find the
current_key
fieldWeb: Find the
apiKey
field
REST API
Obtain the
apiKeyId
(the UID) of the API key by calling theapplicable endpoint for the app of interest, and then passing theapiKeyId
value to the next step.- Apple: Call
projects.iosApps.get
- Android: Call
projects.androidApps.get
- Web: Call
projects.webApps.get
- Apple: Call
Obtain the API key string by calling
projects.locations.keys.getKeyString
.This
keyString
is the same value that can be found in the App'sconfiguration artifact(Apple |Android |Web).
Can I have two API keys listed for the same Firebase App in my Firebase config file/object?
Firebase Apple Apps — Each app has its own config file and can have onlyone API key listed.
Firebase Android Apps — All Android apps in the Firebase project arelisted in the same config file, and each app can only have one API keylisted. Each app in this config file can have a different key listed,though.
Firebase Web Apps — Each app has its own config object and can have onlyone API key listed.
You can use multiple API keys with one app, though. You must provide amechanism for your app to access these other API keys, like via an environmentvariable. The mechanism to access the other API keys just can't depend on thoseAPI keys being listed in your Firebase config file/object.
How does Firebase know which API key to match to an app (like in the Firebase config file/object)?
When you first obtain your app's Firebase configfile/object,Firebase checks if there are any existing API keys in your project that have"Application Restrictions" that match the app (for example, a matching bundle ID for the Apple app).
If Firebase doesn't find any restricted keys that match, then it will list inthe config file/object the iOS key
for Apple apps, the Android key
forAndroid apps, and the Browser key
for web apps (assuming that these keys existand have no "Application Restrictions" that keep them from matching to thatapp).
Can I manually delete the API key and field from my Firebase config file/object?
Yes, you can manually delete your API key from your config file/object. However,you must provide some other mechanism for your app to access an API key(like via an environment variable). Otherwise, any calls to Firebase serviceswill fail.
Can I manually edit my Firebase config file/object with different API keys?
Yes, you can manually edit a config file/object to associate a different API keywith an app.
Note that if youre-obtain your app's config file/object from the console, it will always list the API keys thatFirebase automatically matches to that app. So,you'll need to repeat your manual edits, as needed.
Can I move an API key from one Firebase project to another?
No, an API key only identifies a specific project and cannot be moved to anotherproject.
What happens if I delete an API key listed in the Google Cloud console?
If you delete an API key that's in use by an app, then API calls from that appwill fail. You may get reports, emails, or errors that you're attempting to usean API key that is invalid.
Deleting an API key is permanent and cannot be undone.
Which APIs are required in the "API restrictions" allowlist for a Firebase API key?
For a Firebase API key, the only APIs that need to be on the key's"API restrictions" allowlist are the APIs that require the client to provide anAPI key along with the call. Note that very few Firebase-related APIs have thisrequirement. Most Firebase-related APIs enabled in your project don't need to beon the key's "API restrictions" allowlist.
Use the following table to determine which Firebase-related APIs need to beincluded in the "API restrictions" allowlist for a Firebase API key. Remember,Firebase API keys should only be used for Firebase services. Learn more aboutcreatingseparate, restricted API keys for specific types of APIs.
You can view and manage your project's API keys in theAPIs & Services > Credentials panel in the Google Cloud console.
API name (service name) | API display name | Associated Firebase service / product |
---|---|---|
firebase.googleapis.com | Firebase Management API | all products |
logging.googleapis.com | Cloud Logging API | all products |
firebaseinstallations.googleapis.com | Firebase Installations API | Cloud Messaging, Crashlytics, In-App Messaging, Performance Monitoring, Remote Config, Firebase ML |
firebaseappcheck.googleapis.com | Firebase App Check API | App Check |
firebaseappdistribution.googleapis.com | Firebase App Distribution API | App Distribution |
firebaseapptesters.googleapis.com | Firebase App Testers API | App Distribution |
identitytoolkit.googleapis.com | Identity Toolkit API | Authentication |
securetoken.googleapis.com | Token Service API | Authentication |
firebaserules.googleapis.com * | Firebase Rules API | Cloud Firestore, Cloud Storage, Realtime Database |
datastore.googleapis.com | Cloud Datastore API | Cloud Firestore |
firestore.googleapis.com | Google Cloud Firestore API | Cloud Firestore |
fcmregistrations.googleapis.com | FCM Registration API | Cloud Messaging |
firebasestorage.googleapis.com | Cloud Storage for Firebase API | Cloud Storage |
firebasedynamiclinks.googleapis.com | Firebase Dynamic Links API | Dynamic Links |
firebasehosting.googleapis.com * | Firebase Hosting API | Hosting |
firebaseinappmessaging.googleapis.com | Firebase In-App Messaging API | In-App Messaging |
firebaseml.googleapis.com | Firebase ML API | Firebase ML, Vertex AI in Firebase |
mlkit.googleapis.com ** | ML Kit API | Firebase ML |
mobilecrashreporting.googleapis.com | Mobile Crash Reporting API | Performance Monitoring |
play.googleapis.com | Google Play Android Developer API | Performance Monitoring |
firebaseremoteconfig.googleapis.com | Firebase Remote Config API | Performance Monitoring, Remote Config |
firebaseremoteconfigrealtime.googleapis.com | Firebase Remote Config Realtime API | Performance Monitoring, Remote Config |
cloudconfig.googleapis.com ** | N/A | Remote Config |
firebasedatabase.googleapis.com * | Firebase Realtime Database API | Realtime Database |
* Required only if you're using the Firebase API key with third-party tools or direct REST access to the Firebase service / product.
** Required for earlier versions of the product's SDK. If you're using the latest version of the SDK, the API doesn't need to be on the key's allowlist.
Troubleshooting
How do I fix a
API_KEY_SERVICE_BLOCKED
or Forbidden 403 error that says requests to this API are blocked?
Follow the guidance in this FAQ if you're getting a API_KEY_SERVICE_BLOCKED
error or an error that looks like the following:
Forbidden: 403 POST https://example-service.googleapis.com/method: Requests to this API example-service.googleapis.com method google.example-service.rest.method are blocked.
The API key used by your app to call the API probably has"API Restrictions" applied to it, and the key's allowlist doesn't include that API.
If you're getting this error when trying to use a Firebase-relatedservice / product, then make sure that the API key that you're using has alltherequired APIs included in the key's "API restrictions" allowlist.
If you're getting this error when trying to use a non-Firebase service, thenwe strongly recommend creating a new API key specifically for that service andAPI. Firebase API keys should only be used for Firebase services / products.Learn more about creatingseparate, restricted API keys for specific types of APIs.
How do I fix this error? "Failed to fetch this Firebase app's measurement ID from the server."
The API key used by your web app probably has"API Restrictions" applied to it. If this is the case, make sure that the Firebase Management APIis in the list of allowed APIs.
I got an email or error that my API key is invalid. What happened and how do I fix this?
Here are a few of the most common causes for invalid API keys:
The API key has"API Key Restrictions" applied to it that make it unmatchable to the app attempting to use the key("Application Restrictions") or unusable for the API being called ("APIRestrictions").
The API key was deleted from the project in the Google Cloud console.
The API key was not created for the Project ID listed in the app'sFirebase config file/object.
One way to fix this issue is to obtain the updated version of your app'sFirebase config file/object,then replace your old config file/object with the new updated file/object.Before sending a config file for download or displaying a config object in theconsole, Firebase checks that the API key(s) listedmatch to the app(s).
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-09-16 UTC.
[{ "type": "thumb-down", "id": "missingTheInformationINeed", "label":"Missing the information I need" },{ "type": "thumb-down", "id": "tooComplicatedTooManySteps", "label":"Too complicated / too many steps" },{ "type": "thumb-down", "id": "outOfDate", "label":"Out of date" },{ "type": "thumb-down", "id": "samplesCodeIssue", "label":"Samples / code issue" },{ "type": "thumb-down", "id": "otherDown", "label":"Other" }] [{ "type": "thumb-up", "id": "easyToUnderstand", "label":"Easy to understand" },{ "type": "thumb-up", "id": "solvedMyProblem", "label":"Solved my problem" },{ "type": "thumb-up", "id": "otherUp", "label":"Other" }]