Ad

Is It Safe To Send The Access Token In The URL? Firebase Realtime Database REST API

I am using Firebase realtime database rest API on the client-side. I noticed that you need to send the access token on the URL and this info is exposed on the request.

Is this a secure way of using the REST API? Is there another more secure way of accomplishing this?

Here is the documentation: https://firebase.google.com/docs/reference/rest/database#section-param-auth

Ad

Answer

When you see "https" at the front of the URL used for the API, that means the data is encrypted and can't be intercepted. So passing data along with the query should not pose a security problem in terms of someone gaining access to your key.

However, if you ship a client app that contains the key, you are basically giving it away to anyone who has your app, as it's always possible for someone to reverse engineer your app and gain access to all data inside it. To avoid that, you should be using Firebase Authentication and security rules to determine who can access the data in your database.

Ad
source: stackoverflow.com
Ad