Firebase Secrets and Environment Variables
Some Instamobile React Native apps include Firebase Functions for payments, OpenAI, notifications, media processing, chat, or webhooks. These backend features often need API keys and private configuration that must never be stored inside the mobile app.
Quick Answer
Put public Firebase config files in the mobile app, but keep private API keys in Firebase Functions secrets or backend environment variables. Never ship Stripe secret keys, OpenAI keys, Twilio auth tokens, service account JSON files, webhook signing secrets, or admin credentials inside the React Native source code.
Public vs Private Configuration
| Configuration | Where it belongs | Example |
|---|---|---|
| Firebase iOS config | mobile app | GoogleService-Info.plist |
| Firebase Android config | mobile app | google-services.json |
| Firebase web/client API key | mobile app when required by Firebase SDKs | Firebase client config |
| Stripe publishable key | mobile app | pk_live_... |
| Stripe secret key | Firebase Functions secret | sk_live_... |
| Stripe webhook secret | Firebase Functions secret | whsec_... |
| OpenAI API key | Firebase Functions secret | sk-... |
| Twilio auth token | Firebase Functions secret | Twilio account token |
| Admin SDK service account | local deploy machine or Google-managed runtime | serviceAccountKey.json only for local tooling |
Firebase client config identifies your Firebase project. It is not the same as a private backend secret. Security still depends on Auth, Firestore rules, Storage rules, App Check, and backend authorization.
Common Secrets By App Type
| App type | Common secrets |
|---|---|
| ChatGPT / AI chat | OpenAI API key, model routing config, safety/backend limits. |
| Ecommerce / Stripe | Stripe secret key, webhook signing secret, connected account config. |
| Video Chat | Twilio account SID, auth token, API key secret, push credentials. |
| Social apps | media moderation keys, notification service keys, third-party APIs. |
| Appointments / Marketplace | email provider keys, SMS provider keys, payment secrets. |
Configure Secrets For Firebase Functions
Modern Firebase Functions projects can use parameterized configuration and Secret Manager-backed secrets.
From the Firebase Functions folder, inspect the function code for secret names. Common patterns include:
defineSecret('OPENAI_API_KEY')
defineSecret('STRIPE_SECRET_KEY')
defineSecret('STRIPE_WEBHOOK_SECRET')
defineSecret('TWILIO_AUTH_TOKEN')
Then set the matching secrets:
firebase functions:secrets:set OPENAI_API_KEY
firebase functions:secrets:set STRIPE_SECRET_KEY
firebase functions:secrets:set STRIPE_WEBHOOK_SECRET
Deploy the Functions after secrets are set:
firebase deploy --only functions
Verification A deployed function can only read a secret if the function code binds that secret to the function. If logs show a missing secret, check both the secret value and the function definition.
Local Development
For local function testing, use Firebase Emulator Suite or local .env files
only when the function code supports them.
Do not commit local secrets:
firebase/functions/.env
firebase/functions/.env.local
firebase/functions/serviceAccountKey.json
If you need a service account key for importing seed data, keep it outside git and delete it from the working folder after import.
Secret Rotation
Rotate secrets when:
- a key was committed accidentally;
- a contractor or vendor no longer needs access;
- a production incident happened;
- a payment or AI provider recommends rotation;
- you are moving from staging to production credentials.
After rotation:
- set the new secret value;
- redeploy affected Functions;
- verify the production workflow;
- revoke the old key in the provider dashboard;
- check logs for failures.
What Not To Put In The Mobile App
Never include these in React Native code, config files, screenshots, or public docs:
- Stripe secret keys;
- OpenAI API keys;
- Twilio auth tokens;
- Firebase Admin SDK private keys;
- webhook signing secrets;
- OAuth client secrets;
- service account JSON files;
- private SMTP credentials;
- production database export files.
Troubleshooting
Function returns INTERNAL
Open Functions logs and check for missing secret values, invalid provider keys, wrong Firebase project selection, or wrong region.
firebase functions:log
Stripe webhook fails
Confirm the webhook endpoint URL, webhook signing secret, live/test mode, and the deployed Function region.
OpenAI request fails
Confirm the OpenAI API key is configured as a backend secret, the Function has access to it, billing is active with the provider, and the request is made from the backend rather than the mobile app.
Local emulator cannot read secrets
Check whether the project uses Firebase Functions secrets, .env files, or both.
For local tests, set local emulator-compatible values and keep them out of git.
Next Steps
- Deploy Firebase Functions
- Firebase Costs and Blaze Plan
- Firebase Production Checklist
- ChatGPT Firebase and OpenAI Setup
- Stripe Payments
FAQ
Are Firebase config files secret?
No. Firebase client config files identify your Firebase project and are expected to be present in client apps. Protect the project with Auth, rules, App Check, and backend authorization.
Can I call OpenAI directly from the React Native app?
Do not ship an OpenAI API key in a mobile app. Route requests through Firebase Functions or another backend that can enforce limits and protect the key.
Can I use the same secrets for staging and production?
Use separate provider credentials for staging and production when possible. This prevents test traffic from affecting production data, billing, and logs.