Let's say that you are using a version control system and your project uses services that require API keys. Everything is all good when they're on your local machine, but you don’t want to share these API keys with the world.

So how can you still preserve your API keys within your application, but also hide them when you upload your code to your repository?

You probably want to be able to still use your API keys in a normal fashion inside your applications, but also not expose them.

What Are Secrets?

That’s where secrets come in. Similar to those that you keep only to yourself, but in a developer kind of way.

Secrets can represent crucial information that is required by your application to operate, but should not be visible to anyone working outside the project.

These can be API keys or authorization tokens, but in essence a secret is any piece of authorization information that should only be used by you and you alone. It's similar to how you don’t want to share your password to a website with anyone else.

🚨 Disclaimer: Be aware that the solution provided in this article works for not exposing your secrets from your version control system. But since they are part of your application, they can still be discovered by decompiling your APK.

How to Keep Your Secrets Safe

In your project, you should have a local.properties file under the root directory of your project

To make sure it is ignored by your version control system, open the .gitignore file and see that it is found there:


You will need to import to your project the Secrets Gradle plugin.

To do this, go to your project’s root build.gradle file and paste in the following line:

buildscript {
    dependencies {
        id 'com.google.android.libraries.mapsplatform.secrets-gradle-plugin' version '2.0.1' apply false

Next, go to your app’s build.gradle file and paste in the following line:

plugins {
    id 'com.google.android.libraries.mapsplatform.secrets-gradle-plugin'

Add your API key inside the local.properties file:


You can use your secret inside your AndroidManifest.xml file by adding a meta-data tag inside your application tag:

            android:name="YOUR_API_KEY_NAME"     /// Choose any value here
            android:value="${API_KEY_NAME}"/>    /// Write the name you gave inside your local.properties file

To access your API key, you can use the PackageManager to get the meta data:

val applicationInfo: ApplicationInfo = application.packageManager
                .getApplicationInfo(application.packageName, PackageManager.GET_META_DATA)
val apiKey = applicationInfo.metaData["YOUR_API_KEY_NAME"]

Alternatively, you can also use the BuildConfig object to get it:


That’s it. Now you can rest easy knowing that your secrets won’t be exposed by your version control system.

Enjoy keeping your secrets. ㊙️

I used this on one of my recent projects, and you can see the source code (sans the secrets) here.

And if you want to check out other articles that I have written, you can go here.