Is this Firebase/Firestore security rule for anonymously authenticated users safe?

Question

I have a Flutter app that uses an API to pull data. My API key is the only thing stored in my entire Firestore database. My Flutter app retrieves the API key from Firestore and then uses it to fetch data.

My app also has anonymous authentication enabled. My app creates an anonymous user when the app is launched. My app does not allow users to create an account or sign up.

Below are the Firestore security rules that I currently have and I'm unsure if they can be improved to make them more secure from malicious attacks. My rules point to a very specific document myAPIKeyDocument, allows get only for authorized users, and does not allow write.

Are these rules safe as is or can they be improved if the only permission I want my app to grant is read access of my API key for anonymously authenticated users? And also, does if request.auth.uid != null; really make a difference at all since all users of my app will be automatically anonymously authenticated?

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /myDataCollection/myAPIKeyDocument {
      allow get: if request.auth.uid != null;
      allow write: if false;
    }
  }
}

Answer 1

If any user in your app having access to your API key is secure enough, then yes you are fine. Personally I would migrate any logic that requires an API key out of the client app and into Firebase Functions. That way you can more tightly control security to allow only requests from your app.

With anonymous authentication your current rules are about as good as it gets with the current structure of your project.