I'm developing a web application using Polymer + Firebase. In my app, I'm trying to integrate it to Slack. In order to obtain an access token from Slack, I need to make an api call to Slack with the client secret key (generated by Slack).
The question is, where/how should I store this client secret key? Hardcoding this key in my Polymer app sure sounds like a big security no no.
Thanks.
To set your environment variables, create a functions/.env file of the format ...
ACCOUNT=xxxx
API_KEY=yyyy
You can override these variable for specific project aliases. So if for example you'd aliased your project deployment instances as dev, stage, prod ... you can override the settings in your .env file with similar files named as .env.dev, .env.stage or .env.prod.
Then in local emulator or deployed code you can use:
const functions = require('firebase-functions');
const apikey = process.env.API_KEY;
const url = `https://hooks.slack.com/services/${apikey}`
// call Slack API
For full details refer to
The Firebase documentation is (or was) rather vague about whether remote config was intended for use as a secure store. It should however NOT be used for storing secrets since it's designed to be accessible and used on both client and server.
At time of writing, the Firebase document did not make this security issue clear. So Firebase team ... please add a security warning at the top of the documentation for Remote Config. I know this has tripped up many Firebase developers who've assumed that "configuration" meant "secure configuration".