Reputation: 1925
Should the GCM API Key kept secret?
As per the documentation:
Do not include the API key anywhere in your client code.
And it is the case in our current Android app -- the API Key is nowhere included in the code. However, for the new version 3.0.0 of com.google.gms:google-services library, it started throwing error Missing api_key/current_key without it, as discussed here: Missing api_key/current key with Google Services 3.0.0.
Also, Google's config generator https://developers.google.com/mobile/add?platform=android&cntapi=gcm includes the API Key in the google-services.json file.
Is it supposed to be kept secret? Or is it safe to include it in the client app?
Upvotes: 6
Views: 1751
Answers (3)
Reputation: 9225
The google-services.json file represents the configuration for all of the services available within Firebase. There are some services that require and "Android" API key. These are the API keys that you will find in the google-services.json file. Your app may or may not use these API keys depending on the Firebase APIs your app is using.
FCM has a "Server" API key that is used to send messages, this API key is NOT the key included in the google-services.json file. The server API key should never be included in your application. The google services plugin however does look for those Android API keys at build time and that could be the reason for your error, it is not because your FCM server API key is missing.
Upvotes: 6
Reputation: 1925
Answering my own question.
If I create a new test project on Firebase (https://console.firebase.google.com), it also includes the API Key into
- google-services.json for Android app,
- GoogleService-Info.plist for iOS app,
- for Web App it even recommends to include the API key into my HTML.
Taken that HTML is definitely public, I'm pretty convinced now that it's not a secret.
Upvotes: 2
Reputation: 26007
If you are using GCM, your Android app need not know about the API key. I just had to include an empty field for api_key in the json file for GCM to work. As mentioned in tha answer here Missing api_key/current key with Google Services 3.0.0 and Maps API key in build.gradle, I just had to add a line like below in google-services.json for GCM to work:
"api_key": [
{
"current_key": ""
}
],
I think you shouldn't include the API key, since I think only your server needs API key to authenticate with Google for requesting it to send push messages to intended recepients. It would be a risk if anyone gets hold of it. So file can look like:
{
"project_info": {
...
},
"client": [
{
"client_info": {
...
},
"oauth_client": [
{
"client_id": "yourid.whatever.com",
...
}
],
"api_key": [
{
"current_key": ""
}
],
"services": {
...
}
}
],
"configuration_version": "1"
}
Hope this helps.
Upvotes: 0
Related Questions
- Can we use FCM API KEY FOR GCM
- Managing API keys for GCM without Firebase?
- GCM API Key from existing GCM project?
- GCM API Key confusion
- Is it possible to create a GCM API key after app installation?
- Is it inherently dangerous to expose/make public my API key for GCM?
- Is it secure to share the GCM Key of my app to the third party vendor?
- Is it safe to pass GCM registration ID to partner servers
- Android: Should the GCM SENDER_ID be kept secret?
- Do we need Api Key for Google GCM implementation