Firebase App Check
App Check helps protect your API resources from abuse by preventing unauthorized clients from accessing your backend resources. It works with both Firebase services, Google Cloud services, and your own APIs to keep your resources safe.
With App Check, devices running your app will use an app or device attestation provider that attests to one or both of the following:
- Requests originate from your authentic app
- Requests originate from an authentic, untampered device
This attestation is attached to every request your app makes to the APIs you specify. When you enable App Check enforcement, requests from clients without a valid attestation will be rejected, as will any request originating from an app or platform you haven't authorized.
App Check has built-in support for using the following services as attestation providers:
- DeviceCheck or App Attest on Apple platforms
- Play Integrity or SafetyNet (deprecated) on Android
- reCAPTCHA v3 or reCAPTCHA Enterprise on web apps
If these are insufficient for your needs, you can also implement your own service that uses either a third-party attestation provider or your own attestation techniques.
App Check currently works with the following Firebase products:
|Supported Firebase products|
|Cloud Functions (callable functions)|
You can also use App Check to protect your non-Firebase backend resources.
Ready to get started?
How does it work?
When you enable App Check for a service and include the client SDK in your app, the following happens periodically:
- Your app interacts with the provider of your choice to obtain an attestation of the app or device's authenticity (or both, depending on the provider).
- The attestation is sent to the App Check server, which verifies the validity of the attestation using parameters registered with the app, and returns to your app an App Check token with an expiration time. This token might retain some information about the attestation material it verified.
- The App Check client SDK caches the token in your app, ready to be sent along with any requests your app makes to protected services.
A service protected by App Check only accepts requests accompanied by a current, valid App Check token.
How strong is the security provided by App Check?
App Check relies on the strength of its attestation providers to determine app or device authenticity. It prevents some, but not all, abuse vectors directed towards your backends. Using App Check does not guarantee the elimination of all abuse, but by integrating with App Check, you are taking an important step towards abuse protection for your backend resources.
How is App Check related to Firebase Authentication?
App Check and Firebase Authentication are complementary parts of your app security story. Firebase Authentication provides user authentication, which protects your users, whereas App Check provides attestation of app or device authenticity, which protects you, the developer. App Check guards access to your Firebase resources and custom backends by requiring API calls to contain a valid Firebase App Check token. These two concepts work together to help secure your app.
Quotas & limits
Your use of App Check is subject to the quotas and limits of the attestation providers you use.
DeviceCheck and App Attest access is subject to any quotas or limitations set by Apple.
Play Integrity has a daily quota of 10,000 calls for its Standard API usage tier. For information on raising your usage tier, see the Play Integrity documentation.
SafetyNet has a daily quota of 10,000 calls. For information on requesting a quota increase, see the SafetyNet documentation.
reCAPTCHA v3 has a monthly quota of 1 million calls, as well as a 1,000 QPS limit. For information on requesting a quota increase, see the reCAPTCHA documentation.
reCAPTCHA Enterprise is no-cost for 1 million calls per month, and at cost beyond that. See reCAPTCHA Enterprise pricing.
Ready to get started?
reCAPTCHA v3 reCAPTCHA Enterprise
Learn how to implement a custom App Check provider:
Learn how to use App Check to protect your non-Firebase backend resources: