If your Apple app uses one ofFirebase ML's cloud APIs, before you launch your appin production, you should take some additional steps to prevent unauthorizedAPI access.

1. Reduce the scope of existing API keys

First, configure your existing API keys to disallow access to the Cloud VisionAPI:

1. Open theCredentials page of theGoogle Cloud console. When prompted, select your project.

2. For each existing API key in the list, open the editing view.

3. In theAPI restrictions section, selectRestrict key, then add to thelist all of the APIs to which you want the API key to have access. Make suretonot include the Cloud Vision API.

   When you configure an API key'sAPI restrictions, you are explicitlydeclaring the APIs to which the key has access.By default, when theAPIrestrictions section hasDon't restrict key selected, an API key can beused to access any API that is enabled for the project.

Now, your existing API keys will not grant access to cloud ML services, but eachkey will continue to work for any APIs that you added to itsAPI restrictionslist.

Note that if you enable any additional APIs in the future, you must add them totheAPI restrictions list for the applicable API key.

2. Create a new API key for use withFirebase ML

Next, create a new API key forFirebase ML that only allows calls to theCloud Vision API:

1. Return to theCredentials page. Be sure yourFirebase project is still selected.

2. ClickCreate credentials > API key. Take note of the new API key, thenclickRestrict key.

3. In theAPI restrictions section, selectRestrict key, then add to thelistonly the Cloud Vision API.

This API key grants access only to the Cloud Vision API and can be used byFirebase ML to access cloud-based models.

3. Recommended: Reduce the Cloud Vision API's quota

To help mitigate the consequences of a compromised key, you should reduce theCloud Vision API's per-user quota from its default setting. To do so:

1. Open theCloud Vision API Quotas page of theGoogle Cloud console. When prompted, select your project.

2. In theRequests section, set theRequests per minute per user quotato something reasonable for your app. For example, if your app involvesuploading a picture of a document to get back its text, it's unlikely that auser will do that more than once every few seconds, so a quota of 30-40would probably be safe.

   Note that in this context "requests per user" refers to requests from asingle IP address. You might need to consider this if you expect multipleusers to use your app at the same time from behind a NAT.

4. Call Cloud APIs using yourFirebase ML API key

Finally, in your app, configureFirebase ML to use your new API key.

Because theFirebase ML API key allows unauthenticated access to the Cloud VisionAPI, it's important to keep the key confidential to prevent unauthorized use andcharges to your billing account. To do so, you should refrain from includingyour API key in your app binary. Instead, at app runtime, verify that a knowngood user is signed in, and only then, retrieve the API key from a server.

Even when these practices are observed, it is possible for an API key to becompromised. You should take steps to help mitigate the consequences of acompromised key, such as reducing the API's per-user quota as described above,implementing key rotation policies, and issuing different keys to differentgroups of users.

After your app has safely acquired the API key, when you want to call anFirebase ML Cloud API, specify the key:

ifletcloudVisionKey=getYourApiKey(){// See note above about securing your API keyletoptions=VisionCloudDetectorOptions()options.apiKeyOverride=cloudVisionKeyletcloudDetector=Vision.vision().cloudLandmarkDetector(options:options)}

NSString*cloudVisionKey=[selfgetYourApiKey];// See note above about securing your API keyif(cloudVisionKey!=nil){FIRVisionCloudDetectorOptions*options=[[FIRVisionCloudDetectorOptionsalloc]init];options.APIKeyOverride=cloudVisionKey;FIRVisionCloudLandmarkDetector*landmarkDetector=[visioncloudLandmarkDetectorWithOptions:options];}

In addition, you should follow the general advice inSecuring an API key.

Next steps

See thelaunch checklist for information onpreparing your app to launch when using other Firebase features.