Firebase messaging without server XMPP server - Proposal

Question

I know this question has been asked too many times. But I have something to propose and need to know if it makes sense.

I am already using Firebase database. All I n

Answer 1

The only way to keep your FCM server key secure, is to not expose it to devices of untrusted clients.

If you store the FCM server key in the database, you'll need to store it in a place that is somehow accessible to the users of your app who you want to allow to send FCM messages.

If the FCM server key is accessible to those users, they can take the key and abuse it. If you only allow access to this value to a tiny subset of your users, you'll have reduced the risk to that smaller group of users. And if those are untrusted clients, then your still exposing the key to untrusted clients.

So you're adding a layer of indirection, but I would not consider it a lot more secure.