Enable App Check enforcement for Cloud Functions

When you understand how App Check will affect your users and you're ready to proceed, you can enable App Check enforcement for callable functions.

Enable enforcement

To begin enforcing App Check token requirements in your callable functions, modify your functions to check for valid App Check tokens, as shown below. Once you enable enforcement, all unverified requests will be rejected.

  1. Install the Cloud Functions SDK.

    Node.js (2nd gen)

    Update your project's firebase-functions dependency to version 4.0.0 or newer:

    npminstallfirebase-functions@">=4.0.0"

    Node.js (1st gen)

    Update your project's firebase-functions dependency to version 4.0.0 or newer:

    npminstallfirebase-functions@">=4.0.0"

    Python (preview)

    Add firebase-functions to functions/requirements.txt:

    firebase-functions >= 0.1.0

    Then, update the dependencies in your project's virtual environment:

    ./venv/bin/pip install -r requirements.txt

  2. Enable the App Check enforcement runtime option for your function:

    Node.js (2nd gen)

    const{onCall}=require("firebase-functions/v2/https");
exports.yourV2CallableFunction=onCall(
{
enforceAppCheck:true,// Reject requests with missing or invalid App Check tokens.
},
(request)=>{
// request.app contains data from App Check, including the app ID.
// Your function logic follows.
...
}
);

    Node.js (1st gen)

    constfunctions=require("firebase-functions/v1");
exports.yourV1CallableFunction=functions
.runWith({
enforceAppCheck:true,// Reject requests with missing or invalid App Check tokens.
})
.https.onCall((data,context)=>{
// context.app contains data from App Check, including the app ID.
// Your function logic follows.
...
});

    Python (preview)

    fromfirebase_functionsimport https_fn
@https_fn.on_call(
 enforce_app_check=True # Reject requests with missing or invalid App Check tokens.
)
defyour_callable_function(req: https_fn.CallableRequest) -> https_fn.Response:
 # req.app contains data from App Check, including the app ID.
 # Your function logic follows.
 ...

  3. Redeploy your functions:

    firebase deploy --only functions

Once these changes are deployed, your callable functions will require valid App Check tokens. The Cloud Functions client SDKs automatically attach an App Check token when you invoke a callable function.

Replay protection (beta)

To protect a callable function from replay attacks, you can consume the App Check token after verifying it. Once the token is consumed, it cannot be used again.

Note that using replay protection adds a network round trip to token verification, and therefore adds latency to the function call. For this reason, most apps typically enable replay protection only on particularly sensitive endpoints.

To consume tokens:

  1. In the Google Cloud console, grant the "Firebase App Check Token Verifier" role to the service account used by the function.

    • If you're explicitly initializing the Admin SDK and you specified your project's Admin SDK service account credentials, the required role is already granted.
    • If you're using 1st generation Cloud Functions with the default Admin SDK configuration, grant the role to the App Engine default service account. See Changing service account permissions.
    • If you're using 2nd generation Cloud Functions with the default Admin SDK configuration, grant the role to the Default compute service account.

  2. Set consumeAppCheckToken to true in your function definition:

    Node.js (2nd gen)

    const{onCall}=require("firebase-functions/v2/https");
exports.yourV2CallableFunction=onCall(
{
enforceAppCheck:true,// Reject requests with missing or invalid App Check tokens.
consumeAppCheckToken:true// Consume the token after verification.
},
(request)=>{
// request.app contains data from App Check, including the app ID.
// Your function logic follows.
...
}
);

    Node.js (1st gen)

    constfunctions=require("firebase-functions/v1");
exports.yourV1CallableFunction=functions
.runWith({
enforceAppCheck:true,// Reject requests with missing or invalid App Check tokens.
consumeAppCheckToken:true// Consume the token after verification.
})
.https.onCall((data,context)=>{
// context.app contains data from App Check, including the app ID.
// Your function logic follows.
...
});

  3. Update your app client code to acquire consumable limited-use tokens when you call the function:

    Swift

    letoptions=HTTPSCallableOptions(requireLimitedUseAppCheckTokens:true)
letyourCallableFunction=
Functions.functions().httpsCallable("yourCallableFunction",options:options)
do{
letresult=tryawaityourCallableFunction.call()
}catch{
// ...
}

    Kotlin 

    valyourCallableFunction=Firebase.functions.getHttpsCallable("yourCallableFunction"){
limitedUseAppCheckTokens=true
}
valresult=yourCallableFunction.call().await()

    Java 

    HttpsCallableReferenceyourCallableFunction=FirebaseFunctions.getInstance().getHttpsCallable(
"yourCallableFunction",
newHttpsCallableOptions.Builder()
.setLimitedUseAppCheckTokens(true)
.build()
);
Task<HttpsCallableResult>result=yourCallableFunction.call();

    Web 

    import{getFunctions,httpsCallable}from"firebase/functions";
constyourCallableFunction=httpsCallable(
getFunctions(),
"yourCallableFunction",
{limitedUseAppCheckTokens:true},
);
awaityourCallableFunction();

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025年10月21日 UTC.