Stay organized with collections
Save and categorize content based on your preferences.
App Check has built-in support for several providers: DeviceCheck and App
Attest on Apple platforms, Play Integrity on Android, and reCAPTCHA Enterprise
in web apps (overview). These are well-understood providers
that should meet the needs of most developers. You can, however, also implement
your own custom App Check providers. Using a custom provider is necessary
when:
You want to use a provider other than the built-in ones.
You want to use the built-in providers in unsupported ways.
You want to verify devices using platforms other than Apple, Android, and the
web. For example, you could create App Check providers for desktop OSes or
Internet-of-Things devices.
You want to implement your own verification techniques on any platform.
Overview
To implement a custom App Check provider, you need a secure backend
environment that can run the Node.js Firebase Admin SDK.
This can be Cloud Functions, a container platform such as
Cloud Run, or your own server.
From this environment, you will provide a network-accessible service that
receives proof of authenticity from your app clients, and—if the proof of
authenticity passes your authenticity assessment—returns an App Check
token. The specific indicators you use as proof of authenticity will depend on
either the third-party provider you're using, or the indicators of your own
invention, if you're implementing custom logic.
Usually, you expose this service as a REST or gRPC endpoint, but this detail is
up to you.
Create a network-accessible endpoint that can receive authenticity data from
your clients. For example, using Cloud Functions:
// Create endpoint at https://example-app.cloudfunctions.net/fetchAppCheckTokenexports.fetchAppCheckToken=functions.https.onRequest((request,response)=>{// ...});
Add to the endpoint logic that assesses the authenticity data. This is the
core logic of your custom App Check provider, which you will need to
write yourself.
If you determine the client to be authentic, use the Admin SDK to mint
an App Check token and return it and its expiration time to the client:
constadmin=require('firebase-admin');admin.initializeApp();// ...admin.appCheck().createToken(appId).then(function(appCheckToken){// Token expires in an hour.constexpiresAt=Math.floor(Date.now()/1000)+60*60;// Return appCheckToken and expiresAt to the client.}).catch(function(err){console.error('Unable to create App Check token.');console.error(err);});
If you can't verify the client's authenticity, return an error (for example,
return an HTTP 403 error).
Optional: Set the time-to-live (TTL) for App Check tokens issued by
your custom provider by passing an AppCheckTokenOptions object to
createToken(). You can set the TTL to any value between 30 minutes and 7
days. When setting this value, be aware of the following tradeoffs:
Security: Shorter TTLs provide stronger security, because it reduces the
window in which a leaked or intercepted token can be abused by an
attacker.
Performance: Shorter TTLs mean your app will perform attestation more
frequently. Because the app attestation process adds latency to network
requests every time it's performed, a short TTL can impact the performance
of your app.
The default TTL of 1 hour is reasonable for most apps.
Next steps
Now that you've implemented your custom provider's server-side logic, learn how
to use it from your Apple,
Android, and web clients.
[null,null,["Last updated 2025-08-26 UTC."],[],[],null,["App Check has built-in support for several providers: DeviceCheck and App\nAttest on Apple platforms, Play Integrity on Android, and reCAPTCHA Enterprise\nin web apps ([overview](/docs/app-check)). These are well-understood providers\nthat should meet the needs of most developers. You can, however, also implement\nyour own custom App Check providers. Using a custom provider is necessary\nwhen:\n\n- You want to use a provider other than the built-in ones.\n\n- You want to use the built-in providers in unsupported ways.\n\n- You want to verify devices using platforms other than Apple, Android, and the\n web. For example, you could create App Check providers for desktop OSes or\n Internet-of-Things devices.\n\n- You want to implement your own verification techniques on any platform.\n\nOverview\n\nTo implement a custom App Check provider, you need a secure backend\nenvironment that can run the Node.js [Firebase Admin SDK](/docs/admin/setup).\nThis can be Cloud Functions, a container platform such as\n[Cloud Run](https://cloud.google.com/run), or your own server.\n\nFrom this environment, you will provide a network-accessible service that\nreceives proof of authenticity from your app clients, and---if the proof of\nauthenticity passes your authenticity assessment---returns an App Check\ntoken. The specific indicators you use as proof of authenticity will depend on\neither the third-party provider you're using, or the indicators of your own\ninvention, if you're implementing custom logic.\n\nUsually, you expose this service as a REST or gRPC endpoint, but this detail is\nup to you.\n\nCreate the token acquisition endpoint\n\n1. [Install and initialize the Admin SDK](/docs/admin/setup).\n\n2. Create a network-accessible endpoint that can receive authenticity data from\n your clients. For example, using Cloud Functions:\n\n // Create endpoint at https://example-app.cloudfunctions.net/fetchAppCheckToken\n exports.fetchAppCheckToken = functions.https.onRequest((request, response) =\u003e {\n // ...\n });\n\n3. Add to the endpoint logic that assesses the authenticity data. This is the\n core logic of your custom App Check provider, which you will need to\n write yourself.\n\n4. If you determine the client to be authentic, use the Admin SDK to mint\n an App Check token and return it and its expiration time to the client:\n\n const admin = require('firebase-admin');\n admin.initializeApp();\n\n // ...\n\n admin.appCheck().createToken(appId)\n .then(function (appCheckToken) {\n // Token expires in an hour.\n const expiresAt = Math.floor(Date.now() / 1000) + 60 * 60;\n\n // Return appCheckToken and expiresAt to the client.\n })\n .catch(function (err) {\n console.error('Unable to create App Check token.');\n console.error(err);\n });\n\n | **Note:** If you encounter a token signing error while creating a new token, make sure your service account has the required permissions. See the [Admin SDK troubleshooting guide](/docs/auth/admin/create-custom-tokens#troubleshooting).\n\n If you can't verify the client's authenticity, return an error (for example,\n return an HTTP 403 error).\n5. **Optional** : Set the time-to-live (TTL) for App Check tokens issued by\n your custom provider by passing an `AppCheckTokenOptions` object to\n `createToken()`. You can set the TTL to any value between 30 minutes and 7\n days. When setting this value, be aware of the following tradeoffs:\n\n - Security: Shorter TTLs provide stronger security, because it reduces the window in which a leaked or intercepted token can be abused by an attacker.\n - Performance: Shorter TTLs mean your app will perform attestation more frequently. Because the app attestation process adds latency to network requests every time it's performed, a short TTL can impact the performance of your app.\n\n The default TTL of 1 hour is reasonable for most apps.\n\nNext steps\n\nNow that you've implemented your custom provider's server-side logic, learn how\nto use it from your [Apple](/docs/app-check/ios/custom-provider),\n[Android](/docs/app-check/android/custom-provider), and [web](/docs/app-check/web/custom-provider) clients."]]
