Skip to content
BlurFirst

How to Blur the Firebase Console During Screen Sharing (Hide Config & User Data)

7 min read

Presenting from Firebase on a call? Here's how to hide the config and web API key, the project ID, the Authentication users list, Firestore documents, service account keys and Cloud Messaging keys before you share your screen.

To hide config and user data in the Firebase console during a screen share, blur the sensitive items in the page before you present — the Firebase config and web API key with your project ID in Project settings, the Authentication users list, and the documents in Firestore or the Realtime Database. BlurFirst paints each blur into the page as real pixels, so it survives Zoom, Google Meet, Microsoft Teams, Loom, OBS and even a screenshot of the shared feed.

The console is a browser-based single-page app that re-renders as you move between Authentication, Firestore and settings, so lean on anchored region blurs for the fixed chrome — the project name and the project switcher in the top bar — and use element blur or Scan for individual values. Start blurring with Ctrl/⌘ ⇧ Y and keep the panic hotkey Ctrl/⌘ ⇧ H ready for the Users table.

What the Firebase console shows that you don't mean to share

  • Firebase config and web API key — under Project settings > General, the config snippet with apiKey, authDomain, projectId, storageBucket, appId and messagingSenderId.
  • Project ID and name — shown in the top bar and project switcher; opening the switcher lists every other project you can reach, naming clients and environments.
  • Authentication users — under Authentication > Users, the full list of accounts with email addresses, phone numbers, provider, sign-in dates and user UIDs.
  • Firestore and Realtime Database documents — collections and documents holding real user data: names, emails, addresses, order details and tokens.
  • Service account keys — under Project settings > Service accounts, the Generate new private key action produces a JSON key granting admin access to your backend.
  • Cloud Messaging keys — the Server key and Sender ID under Cloud Messaging, used to send push notifications to your app's users.
  • Storage paths — Cloud Storage file names and folders that can encode user IDs or client names.

Blur the Firebase console step by step

  1. 1

    Open the section you'll present

    Navigate to Authentication, Firestore or the exact settings page before the call, so you never open Project settings live with the config and web API key on screen.

  2. 2

    Box-blur the project name and switcher

    Drag a box over the top-bar project name and the switcher so the name and project ID stay hidden, and don't open the switcher dropdown live. The anchored box keeps covering the bar as the console re-renders.

  3. 3

    Element-blur the config, keys and UIDs

    On Project settings > General, click the config snippet to frost the apiKey and projectId; do the same for a Server key under Cloud Messaging and for user UIDs in the Users table.

  4. 4

    Run Scan across users and documents

    One click runs Scan (Pro), which detects email, phone, credit-card and API-key patterns locally and blurs them — ideal for the Authentication Users list or a Firestore document full of PII. It won't treat a UID, a project ID or a collection name as a pattern, so blur those yourself.

  5. 5

    Avoid downloads and keep panic ready

    Don't click Generate new private key on the call; the JSON downloads as a file BlurFirst can't touch once it leaves the browser. If a document or the Users table scrolls PII into frame, press Ctrl/⌘ ⇧ H to blur the whole page instantly.

Sensitive itemWhere it appearsBest gesture
Config + web API keyProject settings > GeneralElement-blur the snippet
Project ID + nameTop bar, project switcherBox-blur; don't open switcher live
Auth users (emails, UIDs)Authentication > UsersScan, or box-blur the table
Firestore documents (PII)Firestore, Realtime DatabaseScan, or element blur per field
Cloud Messaging server keyCloud MessagingElement blur
What to hide in the Firebase console, and the gesture that fits.

Why security rules don't cover what's on screen

Firebase Security Rules decide which client requests can read or write your data; a private project decides who can sign into the console. Neither controls what a person watching your screen sees. On a share the signed-in user is *you*, and the console prints the web API key, the config and every user's email in plain view. A web API key isn't a secret on its own — but paired with permissive rules it maps your whole project, and a service account key is a full admin credential. Rules and access gate the backend; blurring works at the presentation layer, controlling what the viewer sees regardless of your rules.

Reuse your Firebase blurs each session

If you present from the console regularly, set the structural blurs once and let BlurFirst Pro's per-site auto-apply re-apply them whenever you open console.firebase.google.com. Your box over the project name and switcher comes back automatically and survives the console's re-rendering as you move between Authentication, Firestore and settings. The profile stores only a CSS selector for each region, never the config, keys or user data inside it.

Frequently asked questions

The web API key is public anyway — do I really need to blur it?

The web API key isn't a secret by itself, but on screen it reveals your project ID and config, and with permissive Security Rules it can be used to probe your data. It's worth blurring alongside the rest of the config. The service account key and Cloud Messaging server key, by contrast, are true secrets you must never show.

How do I hide the whole Authentication users list quickly?

Run Scan (Pro) to blur emails and phone numbers across the table in one click, or box-blur the Users grid. For a single account, element-blur its row. Panic (Ctrl/⌘ ⇧ H) hides everything instantly if the list scrolls into frame.

Can BlurFirst hide a service account key?

It can blur a key shown in the page, but the console offers service account keys as file downloads. Don't click Generate new private key on a call — once the JSON downloads it's outside the browser and outside BlurFirst. Treat any key that was generated or shown as sensitive.

Will the blurs survive moving between Authentication, Firestore and settings?

Yes. Region blurs are anchored to a screen area and re-apply as the single-page console redraws. Per-site auto-apply (Pro) restores your structural blurs automatically each visit.

Does anything I blur leave my machine?

No. BlurFirst runs entirely in the browser and only makes a license-check request. Scan runs locally, so your config and user data never leave the page.

Blur it before you share it.

Hide any field, region or message on a page before your next call. Nothing you blur leaves your browser.

Add to Chrome