From d51ff517b0d54a6857b86cd5ca1913b0b0d2009e Mon Sep 17 00:00:00 2001 From: Nils Reichardt Date: Mon, 26 Jan 2026 18:49:17 +0100 Subject: [PATCH 1/3] Remove caution note for firebase_options.dart It is safe to commit your `firebase_options.dart` to Git, see https://stackoverflow.com/a/37484053/8358501. To actually secure your app, see [Firebase security checklist](https://firebase.google.com/support/guides/security-checklist). --- src/content/ai/ai-toolkit/index.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/content/ai/ai-toolkit/index.md b/src/content/ai/ai-toolkit/index.md index 023ed2eb76b..0a8757808d9 100644 --- a/src/content/ai/ai-toolkit/index.md +++ b/src/content/ai/ai-toolkit/index.md @@ -233,11 +233,6 @@ details into the `example/lib/firebase_options.dart` file. You can do this with the `flutterfire CLI` tool as described in the [Add Firebase to your Flutter app][add-fb] docs **from within the `example` directory**. -::: -note **Be careful not to check the `firebase_options.dart` file into your git -repo.** -::: - ## Feedback Along the way, as you use this package, please [log issues and feature From 89e4e8b2762a75b4811d35fbfaf67d72847ce05f Mon Sep 17 00:00:00 2001 From: nilsreichardt Date: Sat, 28 Feb 2026 20:31:42 +0100 Subject: [PATCH 2/3] Add security note for `firebase_options.dart` in AI toolkit documentation Reintroduces a caution regarding the handling of `firebase_options.dart`. It advises against committing this file to public repositories if the app directly calls AI services from the client, and recommends routing requests through a backend service for production apps. Additionally, it emphasizes the importance of following the Firebase security checklist. --- src/content/ai/ai-toolkit/index.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/content/ai/ai-toolkit/index.md b/src/content/ai/ai-toolkit/index.md index 0a8757808d9..be8ecb5390b 100644 --- a/src/content/ai/ai-toolkit/index.md +++ b/src/content/ai/ai-toolkit/index.md @@ -233,6 +233,15 @@ details into the `example/lib/firebase_options.dart` file. You can do this with the `flutterfire CLI` tool as described in the [Add Firebase to your Flutter app][add-fb] docs **from within the `example` directory**. +:::note Security considerations for `firebase_options.dart` + +If your Flutter app calls Gemini or Vertex AI directly from the client, do not commit `firebase_options.dart` to a public repository. Anyone could reuse your app configuration to send requests to your AI endpoint, consuming quota and potentially causing billing costs. + +For production apps, you should route AI requests through a backend service (for example [Cloud Functions for Firebase](https://firebase.google.com/docs/functions), [Cloud Run](https://cloud.google.com/run), or your own server). In that setup, the backend — not the client — controls access, and including `firebase_options.dart` in your repository is safe. + +You should also review and follow the [Firebase security checklist](https://firebase.google.com/support/guides/security-checklist). +::: + ## Feedback Along the way, as you use this package, please [log issues and feature From 0c365de849f62efd81c415de632d7ec88f391132 Mon Sep 17 00:00:00 2001 From: nilsreichardt Date: Sat, 28 Feb 2026 20:36:07 +0100 Subject: [PATCH 3/3] Apply Gemini suggestion --- src/content/ai/ai-toolkit/index.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/content/ai/ai-toolkit/index.md b/src/content/ai/ai-toolkit/index.md index be8ecb5390b..6d5964b4fea 100644 --- a/src/content/ai/ai-toolkit/index.md +++ b/src/content/ai/ai-toolkit/index.md @@ -235,9 +235,17 @@ app][add-fb] docs **from within the `example` directory**. :::note Security considerations for `firebase_options.dart` -If your Flutter app calls Gemini or Vertex AI directly from the client, do not commit `firebase_options.dart` to a public repository. Anyone could reuse your app configuration to send requests to your AI endpoint, consuming quota and potentially causing billing costs. - -For production apps, you should route AI requests through a backend service (for example [Cloud Functions for Firebase](https://firebase.google.com/docs/functions), [Cloud Run](https://cloud.google.com/run), or your own server). In that setup, the backend — not the client — controls access, and including `firebase_options.dart` in your repository is safe. +If your Flutter app calls Gemini or Vertex AI directly from the client, do not +commit `firebase_options.dart` to a public repository. Anyone could reuse your +app configuration to send requests to your AI endpoint, consuming quota and +potentially causing billing costs. + +While this guide shows direct client-side calls for simplicity, for production +apps, you should route AI requests through a backend service (for example [Cloud +Functions for Firebase](https://firebase.google.com/docs/functions), [Cloud +Run](https://cloud.google.com/run), or your own server). In that setup, the +backend — not the client — controls access, and including +`firebase_options.dart` in your repository is safe. You should also review and follow the [Firebase security checklist](https://firebase.google.com/support/guides/security-checklist). :::