constfunctions=require("firebase-functions/v1");exports.yourV1CallableFunction=functions.runWith({enforceAppCheck:true,// Reject requests with missing or invalid App Check tokens.}).https.onCall((data,context)=>{// context.app contains data from App Check, including the app ID.// Your function logic follows....});
Node.js(第 2 代)
const{onCall}=require("firebase-functions/v2/https");exports.yourV2CallableFunction=onCall({enforceAppCheck:true,// Reject requests with missing or invalid App Check tokens.},(request)=>{// request.app contains data from App Check, including the app ID.// Your function logic follows....});
Python(预览版)
fromfirebase_functionsimporthttps_fn@https_fn.on_call(enforce_app_check=True# Reject requests with missing or invalid App Check tokens.)defyour_callable_function(req:https_fn.CallableRequest)-> https_fn.Response:# req.app contains data from App Check, including the app ID.# Your function logic follows....
constfunctions=require("firebase-functions/v1");exports.yourV1CallableFunction=functions.runWith({enforceAppCheck:true,// Reject requests with missing or invalid App Check tokens.consumeAppCheckToken:true// Consume the token after verification.}).https.onCall((data,context)=>{// context.app contains data from App Check, including the app ID.// Your function logic follows....});
Node.js(第 2 代)
const{onCall}=require("firebase-functions/v2/https");exports.yourV2CallableFunction=onCall({enforceAppCheck:true,// Reject requests with missing or invalid App Check tokens.consumeAppCheckToken:true// Consume the token after verification.},(request)=>{// request.app contains data from App Check, including the app ID.// Your function logic follows....});
[null,null,["最后更新时间 (UTC):2025-08-18。"],[],[],null,["When you [understand how App Check will affect your users](/docs/app-check/monitor-functions-metrics)\nand you're ready to proceed, you can enable App Check enforcement for\n[callable functions](/docs/functions/callable).\n\nEnable enforcement\n\nTo begin enforcing App Check token requirements in your callable\nfunctions, modify your functions to check for valid App Check\ntokens, as shown below. Once you enable enforcement, all unverified requests\nwill be rejected.\n\n1. Install the Cloud Functions SDK.\n\n Node.js (2nd gen)\n\n Update your project's `firebase-functions` dependency to version 4.0.0 or\n newer: \n\n npm install firebase-functions@\"\u003e=4.0.0\"\n\n Node.js (1st gen)\n\n Update your project's `firebase-functions` dependency to version 4.0.0 or\n newer: \n\n npm install firebase-functions@\"\u003e=4.0.0\"\n\n Python (preview)\n\n Add `firebase-functions` to `functions/requirements.txt`: \n\n firebase-functions \u003e= 0.1.0\n\n Then, update the dependencies in your project's virtual environment: \n\n ./venv/bin/pip install -r requirements.txt\n\n2. Enable the App Check enforcement runtime option for your function:\n\n Node.js (2nd gen) \n\n const { onCall } = require(\"firebase-functions/v2/https\");\n\n exports.yourV2CallableFunction = onCall(\n {\n enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens.\n },\n (request) =\u003e {\n // request.app contains data from App Check, including the app ID.\n // Your function logic follows.\n ...\n }\n );\n\n Node.js (1st gen) \n\n const functions = require(\"firebase-functions/v1\");\n\n exports.yourV1CallableFunction = functions\n .runWith({\n enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens.\n })\n .https.onCall((data, context) =\u003e {\n // context.app contains data from App Check, including the app ID.\n // Your function logic follows.\n ...\n });\n\n Python (preview) \n\n from firebase_functions import https_fn\n\n @https_fn.on_call(\n enforce_app_check=True # Reject requests with missing or invalid App Check tokens.\n )\n def your_callable_function(req: https_fn.CallableRequest) -\u003e https_fn.Response:\n # req.app contains data from App Check, including the app ID.\n # Your function logic follows.\n ...\n\n3. Redeploy your functions:\n\n ```\n firebase deploy --only functions\n ```\n\nOnce these changes are deployed, your callable functions will require\nvalid App Check tokens. The Cloud Functions client SDKs automatically\nattach an App Check token when you invoke a callable function.\n\nReplay protection (beta)\n\nTo protect a callable function from replay attacks, you can consume the App\nCheck token after verifying it. Once the token is consumed, it cannot be used\nagain.\n| **Note:** The replay protection beta supports only the Cloud Functions SDK for Node.js.\n\nNote that using replay protection adds a network round trip to token\nverification, and therefore adds latency to the function call. For this\nreason, most apps typically enable replay protection only on particularly\nsensitive endpoints.\n\nTo consume tokens:\n\n1. In the\n [Google Cloud console](https://console.cloud.google.com/iam-admin/iam?project=_),\n grant the \"Firebase App Check Token Verifier\" role to the service account\n used by the function.\n\n - If you're explicitly initializing the Admin SDK and you specified your project's Admin SDK service account credentials, the required role is already granted.\n - If you're using 1st generation Cloud Functions with the default Admin SDK configuration, grant the role to the **App Engine default service\n account** . See [Changing service account permissions](https://cloud.google.com/appengine/docs/legacy/standard/python/service-account#modifying_the_default_service_account).\n - If you're using 2nd generation Cloud Functions with the default Admin SDK configuration, grant the role to the **Default compute service\n account**.\n2. Set `consumeAppCheckToken` to `true` in your function definition:\n\n Node.js (2nd gen) \n\n const { onCall } = require(\"firebase-functions/v2/https\");\n\n exports.yourV2CallableFunction = onCall(\n {\n enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens.\n consumeAppCheckToken: true // Consume the token after verification.\n },\n (request) =\u003e {\n // request.app contains data from App Check, including the app ID.\n // Your function logic follows.\n ...\n }\n );\n\n Node.js (1st gen) \n\n const functions = require(\"firebase-functions/v1\");\n\n exports.yourV1CallableFunction = functions\n .runWith({\n enforceAppCheck: true, // Reject requests with missing or invalid App Check tokens.\n consumeAppCheckToken: true // Consume the token after verification.\n })\n .https.onCall((data, context) =\u003e {\n // context.app contains data from App Check, including the app ID.\n // Your function logic follows.\n ...\n });\n\n3. Update your app client code to acquire consumable limited-use tokens when\n you call the function:\n\n Swift \n\n let options = HTTPSCallableOptions(requireLimitedUseAppCheckTokens: true)\n let yourCallableFunction =\n Functions.functions().httpsCallable(\"yourCallableFunction\", options: options)\n do {\n let result = try await yourCallableFunction.call()\n } catch {\n // ...\n }\n\n Kotlin \n\n val yourCallableFunction = Firebase.functions.getHttpsCallable(\"yourCallableFunction\") {\n limitedUseAppCheckTokens = true\n }\n val result = yourCallableFunction.call().await()\n\n Java \n\n HttpsCallableReference yourCallableFunction = FirebaseFunctions.getInstance().getHttpsCallable(\n \"yourCallableFunction\",\n new HttpsCallableOptions.Builder()\n .setLimitedUseAppCheckTokens(true)\n .build()\n );\n Task\u003cHttpsCallableResult\u003e result = yourCallableFunction.call();\n\n Web \n\n import { getFunctions, httpsCallable } from \"firebase/functions\";\n\n const yourCallableFunction = httpsCallable(\n getFunctions(),\n \"yourCallableFunction\",\n { limitedUseAppCheckTokens: true },\n );\n await yourCallableFunction();"]]
