As many probably already know, by default, the API calls we make in FlutterFlow are public, which means that by decompiling our APK or opening developer tools on the web, one can access our secret keys.
Well, as many also probably know, the method FlutterFlow offers to make our API calls private is to deploy them as Firebase Cloud Functions.
This implies that even if your backend is in Supabase, you'll have to use Firebase to store your secret keys for the API calls you make. (By the way, the equivalent of Cloud Functions in Supabase is Edge Functions. Would it be possible to do the same with Supabase then?)
Since the documentation doesn't explain what really happens when an API call becomes a Firebase Cloud Function, that's why I'm making this post: What is being protected and how? What happens to the API keys and authorization headers introduced in our API calls? How do they start being managed?
I also understand that a technique some use for this is to use BuildShip instead of Cloud Functions, which in theory (actually, I'm not sure) would offer the same protection. In this scenario, even if FlutterFlow has Supabase integrated, you would have to use BuildShip's integration with Supabase to make API calls to Supabase from our FlutterFlow app (this is usually done especially for searching data in our tables, that is, for the search function in our apps).