Skip to content

Firebase API Key

Service Name: Firebase

Service Description: Firebase is a platform developed by Google for creating mobile and web applications. It provides tools for tracking analytics, reporting and fixing app crashes, creating marketing and product experiments, and more.

Service Address: https://firebase.google.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured through Firebase Console under Project Settings > Service accounts > API keys

Secret Access Scope: Grants access to Firebase services including authentication, database, storage, and other Firebase features. The level of access depends on the specific Firebase project settings.

Secret Revokement URL: https://console.firebase.google.com/project/_/settings/serviceaccounts/adminsdk

Secret Example: AIzaSyC-xVT9qqgUZGBGGHvf_XWA9lZYm9gF7Xw

Suspicious Activity Investigation Instructions:

  • Review Firebase Console logs for unusual authentication attempts or data access patterns
  • Check Firebase Authentication logs for unexpected user sign-ins
  • Monitor Firebase Realtime Database or Firestore for unexpected data modifications
  • Review Firebase Storage for unauthorized file uploads or downloads
  • Check Firebase Functions logs for unexpected executions
  • Examine Firebase Analytics for unusual traffic patterns or user behavior

Mitigation Instructions:

  • Navigate to the Firebase Console and select your project
  • Go to Project Settings > Service accounts
  • Locate the compromised API key and click "Revoke"
  • Generate a new API key if needed
  • Update all legitimate applications with the new API key
  • Consider implementing Firebase App Check to prevent abuse
  • Set up Firebase Security Rules to restrict access to your Firebase resources
  • Configure API key restrictions in the Google Cloud Console to limit which APIs

can be called

  • Consider implementing domain restrictions to limit where your API key can be

used from