// ...// During instantiation, enable usage of limited-use tokensletai=FirebaseAI.firebaseAI(backend:.googleAI(),useLimitedUseAppCheckTokens:true)// ...
Kotlin
// ...// During instantiation, enable usage of limited-use tokensvalai=Firebase.ai(backend=GenerativeBackend.googleAI(),useLimitedUseAppCheckTokens=true)// ...
Java
// ...// During instantiation, enable usage of limited-use tokensFirebaseAIai=FirebaseAI.getInstance(/* backend: */GenerativeBackend.googleAI(),/* useLimitedUseAppCheckTokens: */true);// ...
Web
// ...// During instantiation, enable usage of limited-use tokensconstai=getAI(firebaseApp,{backend:newGoogleAIBackend(),useLimitedUseAppCheckTokens:true});// ...
Dart
在即将发布的版本中,我们将支持在 Flutter 应用中使用限次令牌。敬请关注!
Unity
在未来的版本中,我们将支持在 Unity 游戏中使用限次令牌。敬请关注!
了解 Firebase AI Logic 如何与 App Check 集成
如需使用 Firebase AI Logic SDK,必须在 Firebase 项目中启用 Firebase AI Logic API (firebasevertexai.googleapis.com)。这是因为 Firebase AI Logic SDK 发出的请求会先发送到 Firebase AI Logic 服务器,该服务器充当代理网关,Firebase App Check 验证会在请求获准继续发送到您选择的“Gemini API”提供商的后端以及用于访问 Gemini 和 Imagen 模型的 API 之前进行。
[null,null,["最后更新时间 (UTC):2025-08-28。"],[],[],null,["\u003cbr /\u003e\n\nWhen you call an API directly from a mobile or web app (for example, the APIs\nthat allow access to generative AI models), the API is vulnerable to abuse by\nunauthorized clients. To help protect these APIs, you can use\n[Firebase App Check](/docs/app-check) to verify that all incoming API calls\nare from your actual app.\n\nFirebase AI Logic provides a proxy gateway that lets you integrate with\nFirebase App Check and protect the generative AI model APIs called by your\nmobile and web apps. Using App Check with the\nFirebase AI Logic SDKs supports all our configurations:\n\n- Protects both \"Gemini API\" providers: Gemini Developer API and\n Vertex AI Gemini API.\n\n- Protects all supported models, both Gemini models and Imagen\n models.\n\n| We **strongly recommend implementing\n| Firebase App Check into your app as early as possible**, even during development, so that every version of your app is protected from API abuse.\n\nHigh-level summary of how App Check works\n\nWith App Check, devices running your app use an app or device attestation\nprovider that verifies one or both of the following:\n\n- Requests originate from your authentic app\n- Requests originate from an authentic, untampered device\n\nThis attestation is attached to every request your app makes using a\nFirebase AI Logic SDK. When you enable App Check enforcement,\nrequests from clients without a valid attestation will be rejected, as will any\nrequest originating from an app or platform you haven't authorized.\n\nWe recommend that when you set up App Check, make sure to\n[prepare for upcoming enhanced protection](#enhanced-protection)\n(known as *replay protection*).\n\nYou can find [detailed information about App Check](/docs/app-check) in its\ndocumentation, including its [quotas and limits](/docs/app-check#quotas_limits).\n\nAvailable providers and implementation instructions\n\nThe App Check documentation provides descriptions of attestation providers\nas well as implementation instructions.\n\n1. Choose a default provider, and follow the implementation instructions at the\n following links:\n\n - **Apple platforms** : [DeviceCheck](/docs/app-check/ios/devicecheck-provider) or [App Attest](/docs/app-check/ios/app-attest-provider)\n - **Android** : [Play Integrity](/docs/app-check/android/play-integrity-provider)\n - **Web** : [reCAPTCHA Enterprise](/docs/app-check/web/recaptcha-enterprise-provider)\n - **Flutter** : Supports [all the default providers above](/docs/app-check/flutter/default-providers) \n Also, make sure to follow [special instantiation requirements](#instantiation-flutter) for Flutter and App Check.\n - **Unity** : Supports [all the default providers above](/docs/app-check/unity/default-providers)\n\n Note that if none of the default providers are sufficient for your needs,\n then you can [implement a custom provider](/docs/app-check/custom-provider)\n that uses either a third-party attestation provider or your own attestation\n techniques.\n2. *(Recommended)*\n [Prepare for upcoming enhanced protection from App Check](#enhanced-protection)\n (known as *replay protection*).\n\n3. *(Required)* Before you release your app to real users,\n [**enable enforcement of App Check**](/docs/app-check/enable-enforcement).\n\nSpecial instantiation required for Flutter\n\n|-------------------------------------------------------------------------------------------------------------------------------------|\n| *Click your Gemini API provider to view provider-specific content and code on this page.* Gemini Developer API Vertex AI Gemini API |\n\nWhen using App Check with Firebase AI Logic in Flutter apps, you need to\nexplicitly pass in App Check during instantiation, like so: \n\n // ...\n\n final ai = await FirebaseAI.googleAI(\n appCheck: FirebaseAppCheck.instance, // for Flutter, pass in App Check explicitly\n );\n\n // ...\n\nPrepare for upcoming enhanced protection\n\n|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| ***Using limited-use tokens is currently only available for Apple platforms (v12.2.0+), Android (v17.2.0+, BoM v34.2.0+), and Web (v12.3.0+) .** Support for other platforms will be released over the next several weeks.* |\n\nBy default, App Check uses *session tokens* which have a configurable\ntime to live (TTL) between 30 minutes and 7 days.\nThese session tokens are cached by the App Check SDK and sent along with\nrequests from your app.\n\nIn the future, App Check will add the option to enable *replay protection*\nfor Firebase AI Logic (similar to the support that App Check already\noffers for some other resources). When replay protection is enabled, it\nenhances protection in the following ways:\n\n- App Check will only allow requests if they're accompanied by a special\n kind of token called a *limited-use token*.\n\n- After the limited-use token is verified, the token is consumed so that it can\n be used only once, preventing replay attacks.\n\n**To prepare for replay protection, we recommend that you\n[enable the usage of limited-use tokens](#enable-limited-use-tokens)** as part\nof setting up App Check. That way, when replay protection becomes available,\nthen you can enable it sooner because more of your users will be on versions\nof your app that send limited-use tokens.\n\nNote the following if you enable usage of limited-use tokens in your app now\n(while replay protection is unavailable):\n\n- App Check does *not* block the usage of *valid session tokens*.\n\n- Just like session tokens, limited-use tokens are cached by the\n App Check SDK and sent along with requests. These limited-use tokens\n provide a *small* amount of additional protection than the default session\n tokens because limited-use tokens have a shorter TTL\n (only 5 minutes and not adjustable) compared to session tokens.\n\n- Even though limited-use tokens are valid for 5 minutes, the SDK\n will still generate a new token for *each* request. This process can add some\n latency to your request.\n\nHowever, when replay protection is available for Firebase AI Logic in the\nfuture (and you enable it), the use of session tokens and the reuse of\nlimited-use tokens won't be possible. Note that the additional latency for\ngenerating a new token for each request will still happen.\n\nEnable usage of limited-use tokens\n\n|-------------------------------------------------------------------------------------------------------------------------------------|\n| *Click your Gemini API provider to view provider-specific content and code on this page.* Gemini Developer API Vertex AI Gemini API |\n\n| **Note:** Consider setting up limited-use tokens to be a Firebase Remote Config parameter so that you can control its setting remotely rather than having it hard-coded in your app. Learn more about [using Remote Config](/docs/ai-logic/solutions/remote-config).\n\nHere's how to enable usage of limited-use tokens:\n\n1. [Implement App Check](#available-providers), and make sure that you've\n [enabled App Check enforcement](/docs/app-check/enable-enforcement)\n for your app.\n\n2. In your app during instantiation, enable the usage of limited-use tokens by\n setting the `useLimitedUseAppCheckTokens` parameter to `true`:\n\n Swift \n\n\n // ...\n\n // During instantiation, enable usage of limited-use tokens\n let ai = FirebaseAI.firebaseAI(\n backend: .googleAI(),\n useLimitedUseAppCheckTokens: true\n )\n\n // ...\n\n Kotlin \n\n\n // ...\n\n // During instantiation, enable usage of limited-use tokens\n val ai = Firebase.ai(\n backend = GenerativeBackend.googleAI(),\n useLimitedUseAppCheckTokens = true\n )\n\n // ...\n\n Java \n\n\n // ...\n\n // During instantiation, enable usage of limited-use tokens\n FirebaseAI ai = FirebaseAI.getInstance(\n /* backend: */ GenerativeBackend.googleAI(),\n /* useLimitedUseAppCheckTokens: */ true\n );\n\n // ...\n\n Web \n\n\n // ...\n\n // During instantiation, enable usage of limited-use tokens\n const ai = getAI(firebaseApp, {\n backend: new GoogleAIBackend(),\n useLimitedUseAppCheckTokens: true\n });\n\n // ...\n\n Dart\n\n Using limited-use tokens with Flutter apps will be supported in the\n upcoming release. Check back soon!\n\n Unity\n\n Using limited-use tokens with Unity games will be supported in a\n future release. Check back soon!\n\nUnderstand how Firebase AI Logic integrates with App Check\n\nTo use the Firebase AI Logic SDKs, the\n[Firebase AI Logic API (`firebasevertexai.googleapis.com`)](https://console.cloud.google.com/apis/library/firebasevertexai.googleapis.com?project=_)\nmust be enabled in your Firebase project. This is because requests made by the\nFirebase AI Logic SDKs are first sent to the Firebase AI Logic\nserver, which acts as a proxy gateway where Firebase App Check verification\ntakes place *before* the request is allowed to proceed to your chosen\n\"Gemini API\" provider's backend and the APIs to access the Gemini\nand Imagen models."]]