Hiding our API key

We need to move our API key and messagingSenderId to a separate file, and then ensure that the file is not checked into Git:

1. To do so, create a file in public/ called secrets.js. In that file, place the following:

window.apiKey = "YOUR-API-KEY”
messagingSenderId = "YOUR-SENDER-ID"

Again, we're taking advantage of the globally accessible window object to store the key. For those of you new to JavaScript, note that it is not good practice to abuse the window object; only use it when absolutely necessary.

1. To use this key in index.html, we can add the following above all the other script tags:

<script src="/secrets.js"></script>

1. Then, in our Firebase initialization:

 <script>  
   // Initialize Firebase
   var config = {
     apiKey: window.apiKey,
     // ...rest of config
     messagingSenderId: window.messagingSenderId
   };

1. As the last step, we need to tell Git to ignore the secrets.js file. You can do so by modifying our .gitignore file in the project base, adding the following line:

/public/secrets.js

All done! We can now commit and push up freely.