Critical: act in the next 60 seconds

Firebase service account JSON leaked: revoke and rotate keys

Your Firebase service account key may be exposed. Here is the fastest possible recovery — three steps, no theory.

  1. Step 01

    Google Cloud Console → IAM & Admin → Service Accounts → click the firebase-adminsdk service account → Keys tab → Delete the leaked key.

  2. Step 02

    Click "Add Key → Create new key (JSON)". Download. Update your server env (or secret manager) with the new value.

  3. Step 03

    Audit Firestore data and Storage objects for unfamiliar writes/deletes in the last 24 hours.

Step 01 — Revoke

Kill the leaked credential first

IAM & Admin → Service Accounts → click "firebase-adminsdk-..." → Keys tab → click the trash icon next to the leaked key fingerprint → Confirm. Then "Add Key" → "Create new key" → JSON. Store in a secrets manager (Vercel env, Google Secret Manager).

Open Google Cloud service accounts

Step 02 — Rotate

Update the new key in the right place

Server-side env vars only — never in client code, never with NEXT_PUBLIC_.

Server-only Admin SDK init
import { initializeApp, cert } from 'firebase-admin/app';
const serviceAccount = JSON.parse(process.env.FIREBASE_SERVICE_ACCOUNT_JSON!);
initializeApp({ credential: cert(serviceAccount) });
// Never imports or includes this file in client code.

Step 03 — Scan

Confirm nothing else leaked alongside it

Scan to confirm no other admin credentials are sitting in your project bundle or exposed paths.

How this usually leaks

  • 01serviceAccountKey.json committed to GitHub on first scaffold.
  • 02JSON pasted directly into a Lovable/Bolt frontend "for testing".
  • 03Stored in /public/admin.json by accident.
  • 04Logged on first app boot to a public log endpoint.

FAQ

Frequently asked questions

Can attackers wipe my Firestore data with this key?
Yes — service-account keys bypass Security Rules. They can read every document, write anything, and delete collections. Audit logs and restore from backups if needed.
Are Firebase Security Rules enough without rotating the key?
No. Security Rules apply to client SDKs, not Admin SDK access. The leaked key bypasses them entirely. Rotation is non-negotiable.

Deeper dive

Long-term fixes for this leak class

Firebase rules too permissive

Firestore rules that allow unauthenticated reads or writes leave your database open to anyone. Here is how to write rules that actually protect your data.

Read more

Firebase config issues

The Firebase config in your client code is fine to expose — but only if your rules are strict. Here is how to tell the difference between safe exposure and a leak.

Read more

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Read more

Concepts

Background

Firebase

Google's backend-as-a-service with Firestore, Auth, and Storage. Security rules are the critical layer.

Read more

See what else leaked in the same deploy

Free scan. 70+ checks. Results in 60 seconds.