- Firebase AI security relies on four distinct layers that work together — most developers only know about one.
- Firebase AI security protects your Gemini API key by routing all requests through Firebase’s own proxy servers.
- Template-Only Mode, announced at Google I/O 2026, prevents prompt injection by keeping all system instructions server-side.
- App Check uses device attestation to block unauthorised clients before they can drain your token quota.
Client-Side AI Is Powerful — and Exposed
Firebase AI security became a front-burner conversation at Google I/O 2026 when Google announced that Firebase AI Logic had reached general availability. The pitch is genuinely compelling: call Gemini directly from your web or mobile app, no backend server to manage, no infrastructure bill to justify, no DevOps headaches. For indie developers and fast-moving teams, that’s a meaningful shift in what’s possible.
But there’s a tension baked into that convenience. The moment you move an AI endpoint to the client, you’ve created a publicly reachable attack surface. Anyone with a packet sniffer, a decompiler, or a scripting habit can start probing it. Google clearly thought hard about this problem before shipping — Firebase AI Logic comes with four distinct security mechanisms, each one targeting a specific class of threat. The trouble is that most of the developer coverage so far treats them as interchangeable or only covers one in passing.
They’re not interchangeable. They compose. Understanding Firebase AI security means understanding how each layer works and why you need all four.
Layer 1: The Proxy Architecture That Hides Your Gemini Key
The most obvious risk with any client-side AI integration is the API key problem. Your Gemini API key carries billing authority — if someone extracts it from your app bundle and scripts against it, you’re paying for their inference. App bundles are decompilable. It’s not theoretical; it’s a solved problem for anyone with fifteen minutes and the right tools.
Firebase AI security’s proxy architecture sidesteps this entirely. When you initialise the SDK, your requests don’t go directly to Google’s Gemini API. They route through Firebase’s own servers, which hold your Gemini API key on the backend. The only credential that ever reaches the client is your Firebase Web API key — and that’s not a secret. It’s a project identifier, scoped and controlled by your Firebase security rules, not a billing credential.
The distinction matters enormously. Leaking a Firebase Web API key doesn’t hand anyone your Gemini budget. Leaking a Gemini API key does. Firebase AI security’s architecture ensures the latter never appears in your codebase, your network traffic, or your compiled binary.
This is the foundational layer. Everything else builds on top of it.
Layer 2: Server Prompt Templates and Template-Only Mode
Hiding your API key solves one problem. It doesn’t solve what happens once a legitimate-looking request reaches your AI model. Two separate threats live at the prompt layer, and they require a different tool entirely.
First, there’s prompt extraction. If your system instructions — the personality, constraints, and behavioural rules you’ve baked into your AI — live in client code, anyone who decompiles your app can read them verbatim. That might not sound catastrophic until you consider that those instructions often encode competitive logic, safety guardrails, or persona details your product depends on.
Second, there’s prompt injection. If your app constructs prompts dynamically by concatenating user input with system instructions on the client, a determined attacker can craft inputs designed to override those instructions. It’s one of the most well-documented attack patterns against LLM-based applications, and it’s surprisingly easy to pull off against naive implementations.
Firebase AI security addresses both threats through server prompt templates, defined in the Firebase console using Dotprompt syntax. You specify the model, temperature, safety settings, input schema, and system instructions entirely server-side. The client sends only a template ID and a set of typed variable values. It never sees the underlying prompt configuration, can’t modify it, and can’t inject additional instructions around it.
The more aggressive version of this is Template-Only Mode, announced at Google I/O 2026. With it enabled, Firebase AI Logic will flat-out refuse any request that includes custom prompt instructions from the client. Only server-stored templates execute. A client that tries to pass raw system instructions gets ignored.
There’s a TypeScript angle here worth appreciating. When you define a typed interface matching your template’s input schema, the compiler enforces the contract. If a developer inadvertently tries to pass a field that wasn’t declared in the schema — something that could theoretically bleed into the prompt — the build fails before it ships. Firebase AI security, in this case, is partly enforced at compile time.
Layer 3: App Check Blocks Unauthorised Clients Entirely
Template-Only Mode secures what gets sent. App Check controls who’s allowed to send anything at all.
The threat it targets is straightforward: even with a hidden API key and server-side prompts, your Firebase endpoint is still reachable from the public internet. Someone could build a script that mimics your app’s requests and hammers your quota. Or they could set up a competing product that piggybacks on your Firebase project’s Gemini access. Neither scenario is far-fetched — quota exhaustion attacks against AI services are already a documented pattern.
App Check addresses this through device attestation. On Android, it uses Play Integrity. On Apple platforms, DeviceCheck. On the web, reCAPTCHA Enterprise. Each provider generates a cryptographic token that proves the request originated from a genuine, unmodified instance of your app on a real device. That token accompanies every Firebase AI request. Firebase validates it server-side before processing the call.
Scripts don’t have access to Play Integrity. Emulators running modified app binaries fail the attestation check. Web scrapers can’t generate valid reCAPTCHA Enterprise tokens without the legitimate app context. App Check effectively turns your AI endpoint from a public API into one that only your real app can call.
What makes App Check a particularly strong component of Firebase AI security is that it’s enforced at the Firebase infrastructure level, not in your application code. An attacker can’t bypass it by reverse-engineering your app, because the check happens server-side before your backend logic runs.
Layer 4: Model-Level Safety Settings at Inference Time
The first three layers of Firebase AI security handle who can call your endpoint, what credentials they use, and what prompt they can trigger. The fourth layer addresses what happens during inference itself.
User input that reaches a language model isn’t sanitized by default. Even with server-side prompt templates enforcing your system instructions, a user could attempt to pass adversarial content through the legitimate input variables — content designed to manipulate the model’s output, extract sensitive training data, or generate responses that violate your policies.
Firebase AI Logic exposes Gemini’s built-in safety settings at the template configuration level, not the client level. Harm categories — harassment, hate speech, dangerous content, and others — can be set to block at specific thresholds directly in your Dotprompt template. Because these settings live server-side with the rest of the template configuration, users can’t adjust them, and developers can’t accidentally omit them when writing client code.
The model itself is also doing safety evaluation at inference time. Gemini’s built-in filters run regardless of what the client sends. What Firebase AI security’s configuration layer adds is the ability to tune those thresholds for your specific use case and lock that configuration in place on the server.
Why All Four Firebase AI Security Layers Matter Together
It’s tempting to look at this and decide one or two layers are enough. If App Check is blocking unauthorised clients, do you really need Template-Only Mode? If your prompts are server-side, does the proxy architecture still matter?
Yes to both. Each layer of Firebase AI security closes a distinct gap. The proxy architecture prevents API key theft. Server templates prevent prompt extraction and injection. App Check prevents unauthorised client access. Model-level safety settings prevent adversarial inference-time attacks. Remove any one of them and you’ve left a specific, exploitable attack surface open.
Google’s decision to ship all four together — rather than leaving developers to bolt on security after the fact — reflects a more mature approach to AI platform design than we’ve seen from some competitors. The developer experience of Firebase AI Logic is legitimately good. But the Firebase AI security model is what makes it plausible to ship AI features to production without a dedicated backend team standing between your users and the model.
As client-side AI becomes a standard pattern rather than an experiment, the industry needs more platforms thinking this carefully about the threat model. Firebase AI Logic at GA sets a bar that others building AI SDKs will have to clear.
