There are different secrets we use when developing an mobile app. For example before distributing our app we need to sign it with our private release key or when we want to access an API we need to authenticate ourselves with an API key. Those information should not be in the source code repository. They should only be accessible by certain people or the build server but not by every developer in the team.

This article shows how to handle secrets in flutter projects using the example of adding a Google Maps Api Key for Android and iOS.

General idea

The general idea is to use environment variables to keep your secrets out of the source code repository. Most CI Tools like Travis CI, Gitlab CI or Github Actions allow to configure secrets which are then available during the build as environment variables.

Example configuring secrets for a github project
Example configuring secrets for a github project

So, how do we use those environment variables, in our case MAPS_API_KEY in Android and iOS?


First add following code to the top of ./android/app/build.gradle

def mapsProperties = new Properties()
def localMapsPropertiesFile = rootProject.file('')
if (localMapsPropertiesFile.exists()) {'Load maps properties from local file')
    localMapsPropertiesFile.withReader('UTF-8') { reader ->
} else {'Load maps properties from environment')
    try {
        mapsProperties['MAPS_API_KEY'] = System.getenv('MAPS_API_KEY')
    } catch(NullPointerException e) {
        project.logger.warn('Failed to load MAPS_API_KEY from environment.', e)
def mapsApiKey = mapsProperties.getProperty('MAPS_API_KEY')
if(mapsApiKey == null){
    mapsApiKey = ""
    project.logger.error('Google Maps Api Key not configured. Set it in `` or in the environment variable `MAPS_API_KEY`')

This code first tries to read This is used to supply a development MAPS_API_KEY on the developer machine. The properties file looks like this:

# Do not add to version control, this contains your local development configurations

If it can't find a properties file it loads the key from the environment variable. So of course you also could just set the environment variables on your local developer machine instead of using a properties file.

For Google Maps we need to add this key to the AndroidManifest. Therefore we add the previously loaded key to the defaultConfig in ./android/app/build.gradle:

android {
    defaultConfig {
        manifestPlaceholders = [MAPS_API_KEY: mapsApiKey]

and we can use this key in ./android/app/src/main/AndroidManifest.xml like this:

<manifest ...>

        <meta-data android:name=""

And that's it. We read the Google Maps Api key from the environment and used it in the AndroidManifest.xml


For iOS we add the environment variable by writing a script which reads the variable and generates swift code for us which we can use to access the api key and pass it to the Google Services.

1. Install Sourcery which is used for code generation.

  • Add pod 'Sourcery', '~> 1.0.0' to ./ios/Podfile right.
target 'Runner' do

flutter_install_all_ios_pods File.dirname(File.realpath(__FILE__))
pod 'Sourcery', '~> 1.0.0'
  • Run pod install to install Sourcery.

2. Add scripts to generate swift code containing your credentials

  • Create folder `./ios/credentials
  • On your local development machine you can add a script which sets the environment variables for you. Do not add it to version control.
  • Add a template for generating the Swift class ./credentials/Credentials.stencil
public struct Credentials {
	let mapsApiKey: String
public let credentials = Credentials(mapsApiKey: "{{ argument.mapsApiKey }}") 

This is the template used by Sourcery. It takes on argument mapsApiKey and replaces it in the code.

  • Add a script which does the code generation ./ios/credentials/

echo "Generate Credentials Code"

# Set credentials if local script for adding environment variables exist
if [ -f "$CREDENTIALS_DIR/" ]; then
  echo "Add credentials to environement"
  source "$CREDENTIALS_DIR/"

$SRCROOT/Pods/Sourcery/bin/sourcery --templates "$CREDENTIALS_DIR/Credentials.stencil" --sources . --output "$SRCROOT/Runner" --args mapsApiKey=$MAPS_API_KEY

This script calls Sourcery to generate a code file Credentials.generated.swift which we later can use in our code to access the api key. Make sure to add Credentials.generated.swift to .gitignore otherwise our key will end up in the repo again.

3. Add scripts to XCode Project

Last but not least we need to call our script from our XCode project before every build. Therefore:

  • Open the iOS Module in XCode
  • Select Runner > Build Phases > Add a "Run Script"-Phase before the "Compile Sources"-Phase
  • Enter /bin/sh ./credentials/ inside the "Run Script" phase. The /bin/sh at the beginning avoids problems with permissions.
    Call from
    Call from "Run Script" phase in XCode

So now Credentials.generated.swift will be generated during every build and we can use credentials.mapsApiKey to access our key and e.g. intialize the Google Maps Service in `./ios/Runner/AppDelegate.swift:

import UIKit
import Flutter
import GoogleMaps

@objc class AppDelegate: FlutterAppDelegate {
  override func application(
    _ application: UIApplication,
    didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?
  ) -> Bool {
    GeneratedPluginRegistrant.register(with: self)
    return super.application(application, didFinishLaunchingWithOptions: launchOptions)


Now we can use the same mechanism to add other api keys or secret variables to our app. You can find the code in action in the Munichways App which is open source.


The iOS part is an adaption of the process described by Robin Malhotras in his article on Medium. Check it out!