Reputation: 9551
How do I make Firebase HTTP restful calls using just an API key?
I need to make restful calls to a specific area of my firebase database. The call needs to be made as an unauthenticated user, but I want to secure it using an API_KEY in the header to prevent bots from trawling the data. The database rules will make the data read-only to un-authenticated users. How can I only permit HTTP calls to read data using an API key in Firebase ?
I have found this section on Authentication requests but I need to make raw HTTP requests and cannot use the supported SDK methods in the examples provided.
Upvotes: 1
Views: 1279
Answers (2)
Reputation: 598740
A simple way to designate a specific unguessable path in your database for access by this client, and allow public read/write access there. For example:
{
"rules": {
"content_4287dhicer29pr2sdkuyfweuf": {
".read": true,
".write": true
}
}
}
Now anyone who knows this key content_4287dhicer29pr2sdkuyfweuf can read/write it, but only those people who know it. And since the key is quite unguessable, it is very unlikely anyone will be able to find it without getting it from you. Well OK, maybe you can come up with a better way to generate token than bashing your hands on the keyboard. :)
What we've done here is essentially embedding the API key into the key in the database. So instead of being in a header in your request, it is now in URL.
Upvotes: 1
Reputation: 317392
What you're trying to do isn't possible. Realtime Database doesn't have dedicated API keys that can be controlled by security rules. Your database has one (legacy) private key that effectively gives the user full access to everything in the database. You're not supposed to use that any more.
The other form of authentication is the one you linked. You're going to need to perform OAuth2 authentication to get a token that belongs to a Google user account or a Firebase user account. You use that token in your raw HTTP requests.
There is no other way to specify any sort of special access to the database that can be controlled by security rules. Without using either of these above two methods, you are effectively bound to read only data that security rules have allowed as fully public.
Upvotes: 2
Related Questions
- How to emulate Firebase authentication without an API key
- Firebase - What is the API Key
- Firebase REST API query with different keys
- How do I authenticate my firebase with just a string key?
- How to set our own Key when adding an object to Firebase via REST API
- How to GET data from firebase by REST via curl?
- How do I make a GET REST API call to my Firebase database?
- Firebase CREDENTIAL for rest API
- having difficulty in getting api key and other relevant information in firebase
- how to make authenticated requests to Firebase Realtime Database with api key