After creating project in Firebase multiple Google Cloud Platform API keys were auto-generated:
- Server key (auto created by Firebase)
- Android key (auto created by Firebase)
- Browser key (auto created by Firebase)
All keys are marked with "!" sign which says:
This API key is unrestricted. To prevent unauthorised use and quota theft, restrict your key to limit how it can be used.
My understanding was that Firebase handles GCP configuration and knows how to do it in secure manner. "Android key" is embedded inside application so it can be retrieved very easily from apk.
Is any additional configuration necessary?
What permissions exactly is the key granted?