Firebase is back at Cloud Next on April 9 - 11. Register now.

Implement Firebase App Check to protect APIs from unauthorized clients

For mobile and web apps, you need to protect the APIs that allow access to the Gemini and Imagen models from abuse by unauthorized clients. You can use Firebase App Check to verify that all API calls are from your actual app.

Using App Check to help protect the Gemini API and the Imagen API is only available if you use the Vertex AI in Firebase SDKs.

With App Check, devices running your app use an app or device attestation provider that verifies one or both of the following:

Requests originate from your authentic app
Requests originate from an authentic, untampered device

This attestation is attached to every request your app makes using a Vertex AI in Firebase SDK. When you enable App Check enforcement, requests from clients without a valid attestation will be rejected, as will any request originating from an app or platform you haven't authorized.

Available providers and implementation instructions

App Check has built-in support for using the following services as attestation providers. Click a provider's link to view the App Check documentation for that provider, including descriptions and implementation instructions.

Apple platforms: DeviceCheck or App Attest
Android: Play Integrity
Web: reCAPTCHA Enterprise

If these providers are insufficient for your needs, you can also implement your own service that uses either a third-party attestation provider or your own attestation techniques (for more details, see the App Check documentation).

Additional information about App Check

Learn about quotas and limits for App Check.
Make sure that you enable enforcement of App Check before you release your app to real users.

Understand how App Check protects the APIs for Vertex AI in Firebase

To use the Vertex AI in Firebase SDKs, the Vertex AI in Firebase API (firebasevertexai.googleapis.com) must be enabled in your Firebase project. This is because requests made by the Vertex AI in Firebase SDKs are first sent to the Vertex AI in Firebase server, which acts as a proxy gateway where Firebase App Check verification takes place before the request is allowed to proceed to the Vertex AI backend and the APIs to access the Gemini and Imagen models.

Note that the Vertex AI in Firebase API itself doesn't perform any App Check verification. Instead, the Vertex AI in Firebase SDKs automatically route requests from your app through the Vertex AI in Firebase gateway.