Firebase Cloud Messaging server key
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A legacy Firebase Cloud Messaging server key was found. It can be used to send push notifications to every device registered to your app.
Why it matters
A Firebase Cloud Messaging server key can send push notifications to every device registered to your app. A leaked key lets an attacker spam or phish your entire user base through trusted notifications. The legacy server key is a single long-lived secret.
How to fix it
Move the server key into a server-side environment variable, or migrate to the newer FCM HTTP v1 API with a service account. Regenerate the legacy server key in the Firebase console after removing it from code.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo