| ▲ | singpolyma3 9 hours ago |
| Um. What? In what world are API keys not secrets? |
|
| ▲ | boredpudding 9 hours ago | parent | next [-] |
| Google API keys have been used for ages on the frontend. For example on Google Maps embeds. Those are not possible without exposing a key to the frontend. They weren't secret, until Gemini arrived. https://trufflesecurity.com/blog/google-api-keys-werent-secr... https://medium.com/@ahhyesic/your-google-maps-api-key-now-ha... https://www.malwarebytes.com/blog/news/2026/02/public-google... |
| |
| ▲ | someothherguyy 8 hours ago | parent [-] | | If one ignores 70% of the documentation, it makes for a demonizing blog post about it, sure. "
API keys for Firebase services are not secret API keys for Firebase services only identify your Firebase project and app to those services. Authorization is handled through Google Cloud IAM permissions, Firebase Security Rules, and Firebase App Check. All Firebase-provisioned API keys are automatically restricted to Firebase-related APIs. If your app's setup follows the guidelines in this page, then API keys restricted to Firebase services do not need to be treated as secrets, and it's safe to include them in your code or configuration files.
Set up API key restrictions If you use API keys for other Google services, make sure that you apply API key restrictions to scope your API keys to your app clients and the APIs you use. Use your Firebase-provisioned API keys only for Firebase-related APIs. If your app uses any other APIs (for example, the Places API for Maps or the Gemini Developer API), use a separate API key and restrict it to the applicable API." https://firebase.google.com/support/guides/security-checklis... | | |
| ▲ | three14 8 hours ago | parent | next [-] | | The only reasonable design is to have two kinds of API keys that cannot be used interchangeably: public API keys, that cannot be configured to use private APIs, and private API keys, that cannot be configured to use public APIs. There's no one who must use a single API key for both purposes, and almost all cases in which someone does configure an API key like that will be a mistake. It would be even better if the API keys started with a different prefix or had some other easy way to distinguish between the two types so that I can stop getting warnings about my Firebase keys being "public". | | |
| ▲ | SAI_Peregrinus 2 hours ago | parent [-] | | It'd be much better to call them something like "API usernames" or "API Client IDs". Though I also dislike the naming of "public keys" in asymmetric cryptography, for the same reasons, and I'm definitely not winning that fight! |
| |
| ▲ | 5 hours ago | parent | prev [-] | | [deleted] |
|
|
|
| ▲ | darrenf 9 hours ago | parent | prev | next [-] |
| In Firebase world API keys are for identification, not authorisation. https://firebase.google.com/docs/projects/api-keys Public by design: API keys for Firebase services only identify your Firebase project and app to those services. Authorization is handled through Google Cloud IAM permissions, Firebase Security Rules, and Firebase App Check. |
|
| ▲ | fg137 9 hours ago | parent | prev | next [-] |
| Google's world. They explicitly tell you that API keys are not secrets. https://trufflesecurity.com/blog/google-api-keys-werent-secr... |
| |
| ▲ | lxgr 8 hours ago | parent [-] | | API keys for Firebase. While Google really messed up here, I doubt they ever published anything claiming that no Google API keys at all are secrets. | | |
| ▲ | pwdisswordfishs 8 hours ago | parent [-] | | Google Maps is not Firebase. And "Firebase AI Logic" sure sounds like something easy to confuse with a Firebase service... | | |
| ▲ | lxgr 8 hours ago | parent [-] | | The same principle applies, though. I'm absolutely not defending Google here, to be clear: Retroactively expanding the scope of an API "key" explicitly designated as "public/non-sensitive" is very bad. But the concept itself does make some sense, and I'm just noting that there's precedent both across Google and other companies. | | |
| ▲ | pwdisswordfishs 8 hours ago | parent [-] | | > The same principle applies, though. How? "Firebase AI Logic" Is this a Firebase service or not? |
|
|
|
|
|
| ▲ | embedding-shape 9 hours ago | parent | prev | next [-] |
| In the frontend world where you have client-side API keys talking directly to 3rd party services from the client. Think things like Google Maps and similar. |
| |
| ▲ | londons_explore 8 hours ago | parent [-] | | Which is a stupid idea for something where there is billing involved... Anyone on the internet can take that key and scrape the Google maps API (faking the referer header) and cost you $$$$$. Google should have simply done with by origin URL if they wanted stuff to be open like that. | | |
| ▲ | someothherguyy 8 hours ago | parent [-] | | Once upon a time Google maps loads were nearly free, and there was no way to restrict that key. |
|
|
|
| ▲ | lxgr 8 hours ago | parent | prev | next [-] |
| Public API keys are a thing. Arguably they are poorly named (it's really more of a client identifier), and modeling them as primarily a key instead of primarily as a non-secret identifier can go very wrong, as evidenced here. |
| |
| ▲ | il-b 6 hours ago | parent [-] | | Yeah, just like “public key” in the cryptography sense | | |
| ▲ | lxgr 2 hours ago | parent [-] | | They’re not really cryptographic keys in that sense usually; I’d say “bearer token” is more accurate. |
|
|
|
| ▲ | 9 hours ago | parent | prev [-] |
| [deleted] |
