Prevent Gemini API abuse with Firebase App Check

When you call an API directly from a mobile or web app (for example, the APIs that allow access to generative AI models), the API is vulnerable to abuse by unauthorized clients. To help protect these APIs from abuse, you can use Firebase App Check to verify that all incoming API calls are from your actual app and an untampered device.

Firebase AI Logic provides a proxy gateway that lets you integrate with Firebase App Check and protect the generative AI model APIs called by your mobile and web apps. Using App Check with the Firebase AI Logic SDKs supports all our configurations:

  • Protects both "Gemini API" providers: Gemini Developer API and Vertex AI Gemini API.

  • Protects all supported models, both Gemini models and Imagen models.

App Check also supports replay protection, which means an App Check token can only be used once.

High-level summary of how App Check works

With App Check, devices running your app use an app or device attestation provider that verifies one or both of the following:

  • Requests originate from your authentic app
  • Requests originate from an authentic, untampered device

This attestation is attached to every request your app makes using a Firebase AI Logic SDK. When you enable App Check enforcement, requests from clients without a valid attestation will be rejected, as will any request originating from an app or platform you haven't authorized.

When setting up App Check, consider adding replay protection, which makes App Check tokens one-time-use only. This option offers enhanced protection beyond the baseline protection and lets you set an appropriate level of protection for your app and use cases.

You can find detailed information about App Check in its documentation, including its quotas and limits.

Set up App Check

The App Check documentation provides detailed descriptions of attestation providers as well as detailed implementation instructions.

  1. Choose a default attestation provider, and follow the implementation instructions at the following links:

    Note that if none of the default attestation providers are sufficient for your needs, then you can implement a custom provider that uses either a third-party attestation provider or your own attestation techniques.

  2. (Required) Enable App Check enforcement before you commit your app to a publicly available source code control system, share your app, or make your app publicly available.

  3. (Recommended) Enhance protection by adding replay protection, which means an App Check token can only be used once.

Enhance protection by adding replay protection

We recommend using the latest SDK versions, but make sure you're using at minimum one of these versions to use replay protection:
Apple platforms v12.2.0+ | Android BoM v34.14.0+ (App Check v19.1.0+) | Web v12.14.0+ | Flutter v4.15.0+ (App Check v4.10.0+) | Unity v13.12.0+

By default, App Check uses session tokens which have a configurable time to live (TTL) between 30 minutes and 7 days. These session tokens are cached by the App Check SDK, are sent along with requests from your app, and can be re-used until their TTL expires. Using session tokens is considered baseline protection.

However, you can enhance protection beyond this baseline protection by enforcing replay protection, which uses limited-use tokens instead. When replay protection is enforced, the following happens:

  • App Check will block requests to Firebase AI Logic that use session tokens. Instead, App Check will only allow a request to Firebase AI Logic if it uses a newly-minted limited-use token.

  • After the limited-use token is verified, the token is consumed so that it can be used only once, which prevents replay attacks.

  • The App Check SDK generates a new limited-use token for each request. Note that this process can impact your requests by adding some latency and sometimes cost (depending on your attestation provider).

Set up and enforce replay protection

Click your Gemini API provider to view provider-specific content and code on this page.

Here's how to set up and enforce replay protection:

  1. If you haven't already, implement App Check and enable App Check enforcement for your app.

  2. Enable usage of limited-use tokens.

    In your app during instantiation, set the useLimitedUseAppCheckTokens parameter to true:

    Swift

    
    // ...
    
    // During instantiation, enable usage of limited-use tokens
    let ai = FirebaseAI.firebaseAI(
      backend: .googleAI(),
      useLimitedUseAppCheckTokens: true
    )
    
    // ...
    
    

    Kotlin

    
    // ...
    
    // During instantiation, enable usage of limited-use tokens
    val ai = Firebase.ai(
      backend = GenerativeBackend.googleAI(),
      useLimitedUseAppCheckTokens = true
    )
    
    // ...
    
    

    Java

    
    // ...
    
    // During instantiation, enable usage of limited-use tokens
    FirebaseAI ai = FirebaseAI.getInstance(
      /* backend: */ GenerativeBackend.googleAI(),
      /* useLimitedUseAppCheckTokens: */ true
    );
    
    // ...
    
    

    Web

    
    // ...
    
    // During instantiation, enable usage of limited-use tokens
    const ai = getAI(firebaseApp, {
      backend: new GoogleAIBackend(),
      useLimitedUseAppCheckTokens: true
    });
    
    // ...
    
    

    Dart

    
    // ...
    
    // During instantiation, enable usage of limited-use tokens
    final ai = await FirebaseAI.googleAI(
      useLimitedUseAppCheckTokens: true,
    );
    
    // ...
    
    

    Unity

    // ...
    
    // During instantiation, enable usage of limited-use tokens
    var ai = FirebaseAI.GetInstance(
      useLimitedUseAppCheckTokens: true
    );
    
    // ...
    
  3. Enforce replay protection.

    1. In your app's codebase, make sure that you've enabled usage of limited-use tokens (see previous step).

    2. In the Firebase console, go to Security > App Check.

    3. Expand the metrics view for Firebase AI Logic.

    4. Make sure Baseline protection is Enforced, then click Continue.

    5. For replay protection, choose either Unenforced (monitoring only) or Enforced.

      Consider the following to decide when to enforce replay protection:

      • Monitoring your requests is recommended if a substantial number of your users are likely using earlier versions of your app without usage of limited-use tokens enabled. If you enforce replay protection immediately, requests from those users will be blocked.

      • You can specifically monitor the Unverified: Reused token metric, which is the number of requests that have a token which has already been used in a previous request. Monitor this metric in the Firebase console (go to the Security > App Check > APIs tab).

        If a significant portion of recent requests are in this category, you can avoid disrupting users and consider waiting to enforce replay protection until more users have updated to a version of your app that uses limited-use tokens.

Understand how Firebase AI Logic integrates with App Check

To use the Firebase AI Logic SDKs, the Firebase AI Logic API (firebasevertexai.googleapis.com) must be enabled in your Firebase project. This is because requests made by the Firebase AI Logic SDKs are first sent to the Firebase AI Logic server, which acts as a proxy gateway where Firebase App Check verification takes place before the request is allowed to proceed to your chosen "Gemini API" provider's backend and the APIs to access the Gemini and Imagen models.