Should I add the google-services.json (from Firebase) to my repository?

I just signed up with Firebase and I created a new project. Firebase asked me for my app domain and a SHA1 debug key. I input these details and it generated a google-services.json file for me to add in the root of my app module.

My question is, should this .json file be added to a public (open source) repo. Is it something that should be secret, like an API key?

A google-services.json file is, from the Firebase doc:

> Firebase manages all of your API settings and credentials through a single configuration file.
The file is named google-services.json on Android and GoogleService-Info.plist on iOS.

It seems to make sense to add it to a .gitignore and not include it in a public repo.
This was discussed in issue 26, with more details on what google-services.json contains.

A project like googlesamples/google-services does have it in its .gitignore for instance.
Although, as commented by stepheaw, this thread does mention

> For a library or open-source sample we do not include the JSON file because the intention is that users insert their own to point the code to their own backend.
That's why you won't see JSON files in most of our firebase repos on GitHub.

If the "database URL, Android API key, and storage bucket" are not secret for you, then you could consider adding the file to your repo.
As mentioned in "Is google-services.json safe from hackers?", this isn't that simple though.

baueric asks in the comments:

> In that post he says: > > The JSON file does not contain any super-sensitive information (like a server API key) > > But the google-services.json does have entry called api_key.
Is that a different api key than a "server api key"?

Willie Chalmers III points to "Is google-services.json safe from hackers?", and adds:

> Yes, that API key isn't a server API key which should never be public, so it's fine if your google-services.json is visible by others. > > In any case, you should still restrict how your client API key can be used in the Google Cloud console.

From this discussion it seems you can add it to a public repo. Its content ends up in the APK anyway and is probably easy to extract.

responding @Yaron last comment. based on my limited knowledge and use of firebase.

in firebase project console (where you download google-services.json) and get the API key. you put the app ID and also you provide an SHA certificate. so for the request to work it needs to be from the app corresponding with the same app ID and certificate.

so there is no 2end key in the codebase to hide. The back end verify.

It says the content of this file is public in the Firebase Documentation:

The content of the Firebase config file or object is considered 
public, including the app's platform-specific ID (Apple bundle ID or
Android package name) and the Firebase project-specific values, like
the API Key, project ID, Realtime Database URL, and Cloud Storage 
bucket name. Given this, use Firebase Security Rules to protect your
data and files in Realtime Database, Cloud Firestore, and Cloud Storage.