Is the Firebase API key a secret?

The Firebase API key is not a secret and is designed to be included in client-side code. It serves as a project identifier rather than an authentication credential, similar to a public project ID. The API key alone cannot read or write data since that access is controlled by Firebase Security Rules and Firebase Authentication. However, if security rules are misconfigured, anyone with the API key can access your data because it is publicly visible in your JavaScript bundle. UNPWNED verifies that your Firebase project has proper security rules in place so that the public API key cannot be exploited for unauthorized data access.