Hide 3rd party API-key with firebase

Question

Im building a website in firebase. It\'s a simple look-up service which only has an input element that fires a request to a 3rd party api.

www.3rdpar

Answer 1

Putting such an API key into the client-side code of your application introduces the risk of malicious users taking your key and using it to their own purposes. There is nothing you can do about that, except for simply not including the API key into the client-side code. This applies equally to Android and iOS code btw.

Since you can't put the API key in client-side code, you'll have to run it on a server. This is a quite common scenario for using server-side code within a Firebase architecture: the code needs access to some information that common clients cannot be trusted with. It is covered by pattern 2 in our blog post on common Firebase application architectures.

From that blog post:

An example of such an architecture in action would be clients placing tasks for the server to process in a queue. You can have one or more servers picking off items from the queue whenever they have resources available, and then place the result back into your Firebase database so the clients can read them.