You're right, API key is public. But there is nothing wrong with it, as in Firebase world the client-side API key is merely an identifier your apps use to talk to Firebase services and the real authorization happens with the help of Firebase Auth + Security rules.
Once the user logs in on the client a short-lived JWT token is issued by Firebase Auth, that token is passed with every request to RTDB, Firestore or Storage and Security Rules are used to authorize or not the action.
Hello there! I don't know a lot about firebase. Is i right understand, that credentials for db are accessed on client side code?
You're right, API key is public. But there is nothing wrong with it, as in Firebase world the client-side API key is merely an identifier your apps use to talk to Firebase services and the real authorization happens with the help of Firebase Auth + Security rules.
Once the user logs in on the client a short-lived JWT token is issued by Firebase Auth, that token is passed with every request to RTDB, Firestore or Storage and Security Rules are used to authorize or not the action.
You can read more here RTDB and Firestore
If I understood you correctly - yes. But it's important to note that you shouldn't commit those to git.