security - Is it OK to store Google Map api key on Firestore ? (Calling from Flutter app)

Question

TL;DL

Is it OK to store api key for Google map api on Firebase Firestore with security rules ?

Question

I'm working on map features using google_maps_flutter plugin. This package describes to store the key on source code on its document, but this seems to be insecure.

Many developers describing that the most secure way to manage api key is to store on server side and I agree with this idea.

I found the issue but it seems that the plugin does not have a way to provide the api key dynamically.

In the iOS sdk, they have GMSServices.provideAPIKey(Could not find same kind of methods on Android) and this allows to provide api key dynamically. If the plugin support these features in future, is it OK to store the key on firestore with security rules?

Thank you

question from:https://stackoverflow.com/questions/66055676/is-it-ok-to-store-google-map-api-key-on-firestore-calling-from-flutter-app

Answer 1

If your third-Party API Key are sensitive, they should stay on the server and never reach the User's device.

So, you could store them on Firestore with strong security rules (i.e. only readable with admin privileges) and then place the third-party API calls within Firebase Cloud Functions.