I have a single white-label Android mobile app, that can be built for approx 30 clients with its own features (all these apps have a unique app-id). All these apps connect to the Firebase project with a single RTDB. Clients' data in the DB is split by root nodes named by a client name.
The question is how can I restrict data access by clients without auth, but using app-ids only? Maybe it makes sense to split clients' data into separate databases. How many Realtime Databases can be created for a single project?
All these apps connect to the Firebase project with a single RTDB. Clients' data in the DB is split by root nodes named by a client name.
As far as I understand, you have a single Firebase project, in which all your 30 clients are using the same Realtime Database instance, and each client is represented by a node which is a child of your root reference. If I understood correctly, I could say that this is a very common approach.
The question is how can I restrict data access by clients without auth, but using app-ids only?
Unfortunately, without the Firebase Authentication, there is not much you can do. If you decide to not use the Firebase Authentication, it means that anybody who knows your project ID and App IDs will be able to read/write to/from your database. Which is obviously bad, since malicious users can take advantage of it.
Maybe it makes sense to split clients' data into separate databases?
That's also a widely used solution, in which each user has its own Realtime Database instance. But this doesn't mean that you don't have to implement Firebase Authentication and secure your databases using Firebase Realtime Database Security Rules.
How many RTDB can be created for a single project?
According to the official documentation of the Realtime Database regarding limits and quotas:
You can create up to 1,000 database instances in the same Firebase project.
But only if you're on the Blaze pricing plan. So if you only have 30 clients, there is nothing you should worry about.