Firebase
Googlecloud3 credentials
Firebase Web API Key
firebase / web-api-key
Firebase web and mobile configuration includes API keys that identify the Firebase project and app to Firebase services. Firebase documents that Firebase API keys are public by design and do not need to be treated as secrets when restricted to Firebase services.
Looks like
exampleAIzaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
FIREBASE_API_KEY, NEXT_PUBLIC_FIREBASE_API_KEY, VITE_FIREBASE_API_KEYfirebaseConfig objects, google-services.json, GoogleService-Info.plist, .env files, and frontend build config
web bundles, mobile apps, examples, and committed Firebase initialization code
frontend build output and client SDK diagnostics
Notes
API keys identify the project but do not authorize access by themselves; Firebase Security Rules, Google Cloud IAM, and App Check provide authorization controls. Misconfigured restrictions still deserve review.
Service Account Private Key
firebase / service-account-private-key
Firebase Admin SDK server environments can authenticate with a Firebase Admin SDK service account. Firebase documents using a service account to communicate with Firebase from trusted server code.
Looks like
pattern-----BEGIN PRIVATE KEY-----Location
serviceAccountKey.json, firebase-adminsdk-*.jsondownloaded service account JSON credentials for server SDKs
GOOGLE_APPLICATION_CREDENTIALS, FIREBASE_SERVICE_ACCOUNT, GOOGLE_CREDENTIALScloud secret managers, CI/CD variables, Kubernetes Secrets, and platform app secrets
accidentally committed service account JSON, tests, and deployment scripts
CI output or stack traces that print credential JSON
Notes
Service account private keys can access Firebase and Google Cloud resources according to IAM roles. Prefer Application Default Credentials or workload identity where possible.
Firebase CLI Token
firebase / cli-token
Firebase CLI workflows can use login credentials or CI tokens to authorize project operations. Firebase CLI documentation describes authentication for deployment and project-management commands.
Location
FIREBASE_TOKENCI configuration, local Firebase CLI credential stores, and deployment manifests
CI/CD variables and hosted deployment secrets
legacy deploy scripts and accidentally committed CI examples
deployment logs and CI traces
Notes
Firebase CLI tokens authorize deployment and administrative actions for the projects reachable by the authenticated Google account or service setup.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.