Use App Check with the debug provider in web apps

If, after you have registered your app for App Check, you want to run your app in an environment that App Check would normally not classify as valid, such as locally during development, or from a continuous integration (CI) environment, you can create a debug build of your app that uses the App Check debug provider instead of a real attestation provider.

Use the debug provider on localhost

To use the debug provider while running your app from localhost (during development, for example), do the following:

  1. In your debug build, enable debug mode by setting self.FIREBASE_APPCHECK_DEBUG_TOKEN to true before you import App Check. For example:

    With npm

    If you installed the Firebase SDK using npm and a bundler:

    <script>self.FIREBASE_APPCHECK_DEBUG_TOKEN = true;</script>
    <script>
      ...
    
      import 'firebase/app-check';
    
      ...
    </script>
    

    From the CDN

    <script>self.FIREBASE_APPCHECK_DEBUG_TOKEN = true;</script>
    <script src="https://www.gstatic.com/firebasejs/8.8.0/firebase-app-check.js"></script>
    

    From Hosting URLs

    <script>self.FIREBASE_APPCHECK_DEBUG_TOKEN = true;</script>
    <script src="/__/firebase/8.8.0/firebase-app-check.js"></script>
    
  2. Visit your web app locally and open the browser’s developer tool. In the debug console, you’ll see a debug token:

    AppCheck debug token: "123a4567-b89c-12d3-e456-789012345678". You will
    need to safelist it in the Firebase console for it to work.
  3. In the Project Settings > App Check section of the Firebase console, choose Manage debug tokens from your app's overflow menu. Then, register the debug token you logged in the previous step.

    Screenshot of the Manage Debug Tokens menu item

After you register the token, Firebase backend services will accept it as valid.

Because this token allows access to your Firebase resources without a valid device, it is crucial that you keep it private. Don't commit it to a public repository, and if a registered token is ever compromised, revoke it immediately in the Firebase console.

Use the debug provider in a CI environment

To use the debug provider in a continuous integration (CI) environment, do the following:

  1. In the Project Settings > App Check section of the Firebase console, choose Manage debug tokens from your app's overflow menu. Then, create a new debug token. You'll need the token in the next step.

    Because this token allows access to your Firebase resources without a valid device, it is crucial that you keep it private. Don't commit it to a public repository, and if a registered token is ever compromised, revoke it immediately in the Firebase console.

    Screenshot of the Manage Debug Tokens menu item

  2. Add the debug token you just created to your CI system's secure key store (for example, GitHub Actions' encrypted secrets or Travis CI's encrypted variables).

  3. If necessary, configure your CI system to make your debug token available within the CI environment as an environment variable. Name the variable something like APP_CHECK_DEBUG_TOKEN_FROM_CI.

  4. In your debug build, enable debug mode by setting self.FIREBASE_APPCHECK_DEBUG_TOKEN to the value of the debug token environment variable before you import App Check. For example:

    With npm

    If you installed the Firebase SDK using npm and a bundler:

    <script>
      self.FIREBASE_APPCHECK_DEBUG_TOKEN = process.env.APP_CHECK_DEBUG_TOKEN_FROM_CI;
    </script>
    <script>
      ...
    
      import 'firebase/app-check';
    
      ...
    </script>
    

    From the CDN

    <script>
      self.FIREBASE_APPCHECK_DEBUG_TOKEN = process.env.APP_CHECK_DEBUG_TOKEN_FROM_CI;
    </script>
    <script src="https://www.gstatic.com/firebasejs/8.8.0/firebase-app-check.js"></script>
    

    From Hosting URLs

    <script>
      self.FIREBASE_APPCHECK_DEBUG_TOKEN = process.env.APP_CHECK_DEBUG_TOKEN_FROM_CI;
    </script>
    <script src="/__/firebase/8.8.0/firebase-app-check.js"></script>
    

When your app runs in a CI environment, Firebase backend services will accept the token it sends as valid.