Catch up on highlights from Firebase at Google I/O 2023. Learn more

Use App Check with the debug provider on Android

If, after you have registered your app for App Check, you want to run your app in an environment that App Check would normally not classify as valid, such as an emulator during development, or from a continuous integration (CI) environment, you can create a debug build of your app that uses the App Check debug provider instead of a real attestation provider.

Use the debug provider in an emulator

To use the debug provider while running your app in an emulator interactively (during development, for example), do the following:

  1. In your module (app-level) Gradle file (usually app/build.gradle), declare the dependency for the App Check Android library:

    Kotlin+KTX

    dependencies {
        implementation 'com.google.firebase:firebase-appcheck-debug:17.0.1'
    }
    

    Java

    dependencies {
        implementation 'com.google.firebase:firebase-appcheck-debug:17.0.1'
    }
    
  2. In your debug build, configure App Check to use the debug provider factory:

    Kotlin+KTX

    Firebase.initialize(context = this)
    val firebaseAppCheck = FirebaseAppCheck.getInstance()
    firebaseAppCheck.installAppCheckProviderFactory(
        DebugAppCheckProviderFactory.getInstance(),
    )

    Java

    FirebaseApp.initializeApp(/*context=*/ this);
    FirebaseAppCheck firebaseAppCheck = FirebaseAppCheck.getInstance();
    firebaseAppCheck.installAppCheckProviderFactory(
            DebugAppCheckProviderFactory.getInstance());
  3. Launch the app and trigger a call to a Firebase backend service. A local debug token will be logged when the SDK tries to send a request to the backend. For example:

    D DebugAppCheckProvider: Enter this debug secret into the allow list in
    the Firebase Console for your project: 123a4567-b89c-12d3-e456-789012345678
  4. In the App Check section of the Firebase console, choose Manage debug tokens from your app's overflow menu. Then, register the debug token you logged in the previous step.

    Screenshot of the Manage Debug Tokens menu item

After you register the token, Firebase backend services will accept it as valid.

Because this token allows access to your Firebase resources without a valid device, it is crucial that you keep it private. Don't commit it to a public repository, and if a registered token is ever compromised, revoke it immediately in the Firebase console.

Use the debug provider for unit testing in a CI environment

To use the debug provider for unit testing in a continuous integration (CI) environment, do the following:

  1. In the App Check section of the Firebase console, choose Manage debug tokens from your app's overflow menu. Then, create a new debug token. You'll need the token in the next step.

    Because this token allows access to your Firebase resources without a valid device, it is crucial that you keep it private. Don't commit it to a public repository, and if a registered token is ever compromised, revoke it immediately in the Firebase console.

    Screenshot of the Manage Debug Tokens menu item

  2. Add the debug token you just created to your CI system's secure key store (for example, GitHub Actions' encrypted secrets or Travis CI's encrypted variables).

  3. If necessary, configure your CI system to make your debug token available within the CI environment as an environment variable. Name the variable something like APP_CHECK_DEBUG_TOKEN_FROM_CI.

  4. In your module (app-level) Gradle file (usually app/build.gradle):

    1. Declare the test dependency for the App Check Android debug library:

      Kotlin+KTX

      dependencies {
          androidTestImplementation 'com.google.firebase:firebase-appcheck-debug-testing:17.0.1'
      }
      

      Java

      dependencies {
          androidTestImplementation 'com.google.firebase:firebase-appcheck-debug-testing:17.0.1'
      }
      
    2. Add the following to the configuration of your CI build variant:

      testInstrumentationRunnerArgument "firebaseAppCheckDebugSecret", System.getenv("APP_CHECK_DEBUG_TOKEN_FROM_CI") ?: ''
      
  5. In your test classes, use the DebugAppCheckTestHelper to wrap any code that needs an App Check token:

    Kotlin+KTX

    @RunWith(AndroidJunit4::class)
    class MyTests {
        private val debugAppCheckTestHelper =
            DebugAppCheckTestHelper.fromInstrumentationArgs()
    
        @Test
        fun testWithDefaultApp() {
            debugAppCheckTestHelper.withDebugProvider {
                // Test code that requires a debug AppCheckToken.
            }
        }
    
        @Test
        fun testWithNonDefaultApp() {
            debugAppCheckTestHelper.withDebugProvider(
                FirebaseApp.getInstance("nonDefaultApp")
            ) {
                // Test code that requires a debug AppCheckToken.
            }
        }
    }
    

    Java

    @RunWith(AndroidJunit4.class)
    public class YourTests {
        private final DebugAppCheckTestHelper debugAppCheckTestHelper =
                DebugAppCheckTestHelper.fromInstrumentationArgs();
    
        @Test
        public void testWithDefaultApp() {
            debugAppCheckTestHelper.withDebugProvider(() -> {
                // Test code that requires a debug AppCheckToken.
            });
        }
    
        @Test
        public void testWithNonDefaultApp() {
            debugAppCheckTestHelper.withDebugProvider(
                    FirebaseApp.getInstance("nonDefaultApp"),
                    () -> {
                        // Test code that requires a debug AppCheckToken.
                    });
        }
    }
    

When your app runs in a CI environment, Firebase backend services will accept the token it sends as valid.