I have a webpage hosted in firebase static hosting. I want to connect it to a firebase database, but don't know how to secure my api keys.
Is it necessary to make an oauth2 auth or something like that?
Firebase configuration for mobile and web clients is effectively public. You can't hide it from view. All you can do is make it difficult to view (which is kind of a waste of time).
What you should be doing instead is putting effort into coming up with security rules for your database that restrict access to only those authenticated users allowed to access it.