For the Remote Config REST API, the documentation is fairly ugly around how to go about safely getting a valid ID token for a user to be able to use it. I'm suggesting you put the Remote Config API behind a set of user rules, similar to other Firebase technologies. If that cannot happen for some reason, then one of two things should:

1. There should be some sort of option in Remote Config or Authentication to automatically give new users a valid credential that allows them to only retrieve the Remote Config (perhaps it automatically creates a Service Worker Account in IAM and generates the JWT for you, which it then returns and shows the user in their config json?). You suggest doing this via a Cloud Function, but many projects won't be on the Blaze plan (and can't), but this would still be useful for them. I know it's not much to ask to switch to Blaze for this, but then they also have to implement the Cloud Function and figure out how to do it for all authenticated accounts because there's no extension to set it up, which there should be (maybe that's a second request here).

2. At least improve the documentation so that it's a lot more straight-forward to create a Service Worker Account in IAM and then generate a valid JWT for that SWA (I think it should be automatic and you should just be provided with it). I had to go through more than 10 steps to figure out how to do that, and the Firebase help person couldn't figure out an easier way to do it either (he just repeated back a bunch of the links I sent him to ask for help). Part of the issue is that the site you've selected to create the JWT is either different from when the docs were originally written, or it simply never worked and the person who wrote the docs was taking an extra step or two to make it work that aren't documented.

There's also no indication after creating the JWT how to store it, which obviously is not up to you good folks, but the question I guess is whether or not letting it become public is secure. I know letting your private key become public isn't, but I wonder about the resultant JWT. With many applications that use the REST API, they are not encrypted in any way at rest, and so you end up having just an open JWT token that can be used with any permissions the SWA has - my GodotFirebase library being the primary example I can think of. I have mine locked down to just the RC read permission, but still, others might not know how to do this stuff inherently and make mistakes.

Edit: I just realized that the Service Worker Account approach is really only intended for server-related work, which means it won't even work for my scenario. The documentation REALLY needs an update to make that clear. Now I have to suggest that if my users want to use my completely free and open source library, they have to go Blaze Plan and create a whole Cloud Function, and I have to supply the Cloud Function so they can automatically add Remote Config permissions to their user IDs that get returned. This is so, so ugly.

Edit 2: I just realized what my issue is. I don't have access to the new Installations API through REST. Is it possible to allow that? That way, at least I can get an appropriate token to be able to send to the API without having to store the token somehow on my device, or force my users to use a Cloud Function and have to go paid while removing their ability to use A/B testing (the Admin SDK only returns the default template).