Should I add the google-services.json (from Firebase) to my repository?
A google-services.json
file is, from the Firebase doc:
Firebase manages all of your API settings and credentials through a single configuration file.
The file is namedgoogle-services.json
on Android andGoogleService-Info.plist
on iOS.
It seems to make sense to add it to a .gitignore
and not include it in a public repo.
This was discussed in issue 26, with more details on what google-services.json
contains.
A project like googlesamples/google-services
does have it in its .gitignore
for instance.
Although, as commented by stepheaw, this thread does mention
For a library or open-source sample we do not include the JSON file because the intention is that users insert their own to point the code to their own backend.
That's why you won't see JSON files in most of our firebase repos on GitHub.
If the "database URL, Android API key, and storage bucket" are not secret for you, then you could consider adding the file to your repo.
As mentioned in "Is google-services.json safe from hackers?", this isn't that simple though.
baueric asks in the comments:
In that post he says:
The JSON file does not contain any super-sensitive information (like a server API key)
But the
google-services.json
does have entry calledapi_key
.
Is that a different api key than a "server api key
"?
Willie Chalmers III points to "Is google-services.json safe from hackers?", and adds:
Yes, that API key isn't a server API key which should never be public, so it's fine if your
google-services.json
is visible by others.In any case, you should still restrict how your client API key can be used in the Google Cloud console.
From this discussion it seems you can add it to a public repo. Its content ends up in the APK anyway and is probably easy to extract.