Is my Firebase apiKey in the config a secret I need to hide?

No. The Firebase web config (including apiKey) is designed to be public — it identifies your project, it doesn't grant access. Your security comes entirely from your Firestore/Realtime Database rules.

Test mode expired and my app broke — what happened?

When test mode lapses, the default becomes deny-all, so every read and write fails. That's your signal to write real rules that allow the specific access your app needs.

Firebase in test mode: why your database is public (and how to fix it)

If your Firebase project is still in 'test mode', anyone can read and write everything. Here's how to check and how to fix it.

Updated June 22, 2026 · 4 min read

Check your own app in 30 seconds — free, no login:

Passive scan of your app's public files only — no login, nothing stored, your code never leaves your machine. Scan only apps you own.

What 'test mode' actually means

When you create a Firestore or Realtime Database, Firebase offers a quick 'test mode' to get you started. Test mode installs a rule that allows all reads and writes — to everyone, no authentication required — usually for 30 days.

AI tools building on Firebase frequently leave this in place, because it makes the app 'just work' during development. The problem: your Firebase config (which is meant to be public) plus open rules means anyone who views your app can talk directly to your database and read, change, or delete everything in it.

How to check

Open the Firebase console → Firestore Database (or Realtime Database) → Rules. If you see something like 'allow read, write: if true;' or a comment about test mode expiring on a date, your database is open.

From the outside, VibeShield detects that your app uses Firebase and flags it so you know to go verify these rules — it can see the backend in use, which is your cue to check the rules in the console.

How to write rules that lock it down

Start by requiring authentication, then scope each document to its owner. A common Firestore pattern: 'allow read, write: if request.auth != null && request.auth.uid == resource.data.userId;' so a signed-in user can only touch their own records.

Write rules per collection based on who should access what, publish them, and then test: try reading a collection while signed out — you should be denied. If open access still works, the rules aren't taking effect.

Don't rely on your app's UI to 'not show' the data. The rules are the only thing standing between a stranger and your database; the UI is not a security boundary.

Frequently asked questions

Is my Firebase apiKey in the config a secret I need to hide?: No. The Firebase web config (including apiKey) is designed to be public — it identifies your project, it doesn't grant access. Your security comes entirely from your Firestore/Realtime Database rules.
Test mode expired and my app broke — what happened?: When test mode lapses, the default becomes deny-all, so every read and write fails. That's your signal to write real rules that allow the specific access your app needs.

Don't guess — scan it

VibeShield checks your live app for exposed keys and open databases in about 30 seconds, and hands you the fixes.