Should I add the google-services.json (from Firebase) to my repository? Ask Question

Should I add the google-services.json (from Firebase) to my repository? Ask Question

I just signed up with Firebase and I created a new project. Firebase asked me for my app domain and a SHA1 debug key. I input these details and it generated a google-services.json file for me to add in the root of my app module.

My question is, should this .json file be added to a public (open source) repo. Is it something that should be secret, like an API key?

ベストアンサー1

A google-services.json file is, from the Firebase doc:

Firebase manages all of your API settings and credentials through a single configuration file.
The file is named google-services.json on Android and GoogleService-Info.plist on iOS.

It seems to make sense to add it to a .gitignore and not include it in a public repo.
This was discussed in issue 26, with more details on what google-services.json contains.

A project like googlesamples/google-services does have it in its .gitignore for instance.
Although, as commented by stepheaw, this thread does mention

For a library or open-source sample we do not include the JSON file because the intention is that users insert their own to point the code to their own backend.
That's why you won't see JSON files in most of our firebase repos on GitHub.

If the "database URL, Android API key, and storage bucket" are not secret for you, then you could consider adding the file to your repo.
As mentioned in "Is google-services.json safe from hackers?", this isn't that simple though.

baueric asks in the comments:

In that post he says:

The JSON file does not contain any super-sensitive information (like a server API key)

But the google-services.json does have entry called api_key.
Is that a different api key than a "server api key"?

Willie Chalmers III points to "Is google-services.json safe from hackers?", and adds:

Yes, that API key isn't a server API key which should never be public, so it's fine if your google-services.json is visible by others.

In any case, you should still restrict how your client API key can be used in the Google Cloud console.


As noted by Puzz in the comments, see also "Is it safe to expose Firebase apiKey to the public?"

In that answer, Frank Van Puffelen mentions:

Update (May 2021): Thanks to the new feature called Firebase App Check, it is now actually possible to limit access to the backend services in your Firebase project to only those coming from iOS, Android and Web apps that are registered in that specific project.

おすすめ記事