As I understood, expose the API key it is not a security risk if I add validation rules to my database as it mentioned here,
var config = {
apiKey: '<your-api-key>', // this key
authDomain: '<your-auth-domain>',
databaseURL: '<your-database-url>',
storageBucket: '<your-storage-bucket>'
};
I also understood that I can call google shortener API with the firebase API key, now it is risky, anyone can call google shortener API with my firebase API key, how I can avoid this
API Keys are generic identifiers for access across Google APIs - they're not just for Firebase. They are used for API access when you don't need to identify as a specific user (where you would use an OAuth access token).
API keys identify that your project is making a call like passing a project ID, but, importantly, can be regenerated - so if one is being used by a bad actor, you can delete it.
So how do you use these API keys without opening yourself up to someone spamming another API?
Add a domain restriction. Browser based keys can be restricted to require being on a certain domain. You can add these from the Google Developer Console:
Be careful with this! Make sure you cover all the domain you're running on, or you will block access (for example if you have a .com and .es version of your site, make sure both domains are whitelisted).
Don't enable the API. If you don't need URL shortener on in the Firebase project, you can disable it from the Google Developer Console. Most APIs start disabled, and several types of API can't be called with an API key any way (they require a service account which is a bit more secure).