Unless using Public rules in Firebase, the API key can’t access data

Update: Please watch the video before you reply, it explains things in more detail. I have no problems setting rules, and no problems accessing data when rules are set to “true”. I am not using Firebase Authentication, just the Web API key.

One of the issues with using these Firebase Rules:

  "rules": {
  ".read": true,
  ".write": true

…is that anyone can access your Firebase DB via API (e.g. via cURL), without the API key, because those rules above mean that the Firebase DB is open to the public, as shown in this warning:

Essentially this means that you don’t need to use the API key, if your rules are set to the same as those above. I’ve done a video here (please do not share this video elsewhere), to demonstrate the data issues.

Common database rules for Firebase: Common Database Rules for Firebase · GitHub

I’d also like to point out that for the time being I am using a REST API build on MySQL, instead of Firebase to ensure my data is secure. It’s not ideal, but secure is far more important than Realtime data.

For those interested in the Dark Theme, there is a new post about it, more info here

I have had no trouble setting rules. I will take a closer look at your post when in front of my screen.

I assume you have put in your own firebase credentials into Thunkable and you are not trying to sey rules using Thunkables default account.

You are right, the rules need to be changed as soon as you figure out firebase. At a minimum, I use these

“rules”: {
“.read”: “auth.uid != null”,
“.write”: “auth.uid != null”

Please watch the video if you have time, it explains in more detail. Thank you.

1 Like

I’ve settled on this:

“rules”: {
“users”: {
“$user_id”: {
“.write”: “$user_id === auth.uid”,
“.read”: “$user_id === auth.uid”

excerpt of larger set. the parenthesis may not be paired. havn’t got my glasses with me. :rofl:

I can confirm that this does not allow API access to Firebase (unless using Firebase Auth as well).

I will try it, but I think you’ve use the wrong kind of inverted commas, it should be straight ones like this:


Not 66/99 like this

Update: These kind of Rules will only work when using Firebase Authentication. I am not using Firebase authentication. As it states in the video.

It may my phones keyboard doing that but…

i didn’t know it made a difference. lll have to research that.:+1:

1 Like

Please can anyone on this thread not shoot out a quick reply with what you assume is the answer, unless you actually watch the video, because at the moment everyone is giving wrong solutions.

If you have a solution, great, please post it! But I’m not here to ask for people to guess and post their suggestions…

interesting response. I answer threads for the benefit of the community in addition to the person posting. Apologies for my trigger happy reaponse. I will now leave this thread to someone that has access to the video with their glasses on. :laughing:

Interestingly I asked something not too dissimilar on the AI2 Forum. You can check out the topic here.

What you are effectively seeking is the Firebase Admin SDK as opposed to the JS Client SDK. I have managed to implement this on my server and using it with Node JS and am looking into it for my PHP development. After communication with ‘Firebase support’ and a thread in the github community, I found out that unlike the Client SDK the admin sdk is not available on the web client side. As you say, this is not a Thunkable issue but a Google design parameter.

If you do find a workable solution, please update this thread and of course I will do the same.


I think you may be right, and I might just have to use the web API to interface rather than using Thunkable’s solution, or role my own damn server with something like Mongo…

It sounds like you are using Thunkable to extend your existing web development skills, which is brilliant! It is exactly what I see this kind of environment as being the best use case for, rather than (just) those with zero coding skills, because it enables quick app development with existing data, which for me at least is exactly what I need!

For now I’m using SQL on cloud and JWT Auth to manage data. SQL on cloud has taken standard hosting MySQL response time from 9s, down to 0.5s!


If you are ONLY using the Realtime DB and NOT Firebase Authentication, I would set read to true but write to false, this allows you to read the data but not edit it. Hope this helps!

1 Like

You are replying on a post where the last response was a year ago.