Skip to main content

Rotating Firebase Web API Keys

Overview

Firebase Web API keys are essential credentials that authenticate your web applications with Firebase services. Regular rotation of these API keys is a critical security practice that helps protect against unauthorized access and reduces the impact of potential key compromises.

This guide covers the complete process of rotating Firebase Web API keys, from generating new keys to updating your applications and monitoring the transition.

Why Rotate Firebase Web API Keys?

Regular key rotation is essential for:

  • Security Compliance - Meet organizational security policies and regulatory requirements
  • Abuse Prevention - Mitigate unauthorized usage if keys are scraped or used maliciously by third parties

Steps

  1. Navigating to the current API Key

    • Go to GCP APIs and Services
    • Navigate to Credentials
    • Then Click on existing API key Credentials Page Note: First time the name would be Browser key (auto created by Firebase), once the key rotation is started, the naming will based on release name or version.

  2. Rotating the API Key

    • In Edit API Key page
    • Click on Rotate Key button, this will take you to the Rotate API Key page. Button to Rotate API Key
    • In Rotate API Key page, enter the new API key name(release name or version) and click on Create button. Dont change any other settings. Rotate API Key Page
    • After the key is created, copy the new API key and click on Continue button. API Key Modal

  3. Updating Secrets

    • In a new tab open GCP Secret Manager Google Secret Manager

    • In the Secret Manager, find the secret named FIREBASE_WEB_APP_API_KEY and click on it. Secret Manager Page

    • In the secret details page, click on New Version button. Button to Add New Version

    • In the New Version modal, paste the new API key you copied earlier into the Secret Value field and click on ADD NEW VERSION. Add new version

    • After the new version is created, you will see the new version in the list of versions.

    NOTE: DEV ONLY - Update the REACT_APP_API_KEY value in the .env file in web and admin repo. Commit and push the changes.

  4. Update the Web Apps

    • Deploy all the web apps (visn web app and admin app). The deploy workflow will fetch the latest secret version and deploy the web apps with the new API key.

  5. Revoke the Old API Key

    • In the GCP APIs and Services, navigate back to the Credentials page.
    • Click on new API key you just created.
    • In Edit API Key page, click on Delete the previous key button. Button to Delete Previous Key
    • Confirm the deletion by clicking on Delete in the confirmation dialog.

Rollback API Key

If you need to restore the deleted API key, you can do so by following these steps:

  • Go to GCP APIs and Services
  • Navigate to Credentials
  • Click on Restore deleted credentials button Button to Restore Deleted Credentials
  • In the Deleted creadentials page, find the deleted API key and click on Restore button Restore Button
  • In the Confirmation dialog, click on Restore button to confirm the restoration.

Conclusion

Regular rotation of Firebase Web API keys is essential for maintaining application security. By following this guide, you can implement a robust key rotation process that minimizes downtime while maximizing security. Whether using manual processes or automated workflows, the key is to plan carefully, test thoroughly, and monitor continuously.

Status: Accepted
Category: Protected
Authored By: Gladson on July 1st, 2025
Revisions.