by configurating revenuecat I need to trigger following code:
configuration = PurchasesConfiguration(googleApiKey) ..appUserID = userId ..observerMode = false;
I have no experience and no idea if this google-api-key is important or should be privacy, should I hardcode this googleApiKey in my flutter app, or I need to get this from google secret manager via cloud function? But if I get this from cloud function, there is no chance for hacker to get this apikey through my client, right?
thanks!
you should NOT do this, any important key should be declared in environment variables, in the case of a Flutter app you can you use the flutter_dotenv package.
The reason is very simple, the code is or could be in a public repository and no one guarantees you that it will not be used for bad purposes.
Edit 1: This indeed will only protect the key from other developers that you are sharing the code with, but as you mentioned in the comments and it is also mentioned in the issue post, it will not protect your API Key from reverse engineering it doesn't even matter if the key is in a binary file.
If that concerns to you, there are solutions like App check that can help you to prevent that someone makes an abuse of your resources.