Firebase is back at Google I/O on May 10! Register now

Enable App Check enforcement for Cloud Functions

Stay organized with collections Save and categorize content based on your preferences.

When you understand how App Check will affect your users and you're ready to proceed, you can enable App Check enforcement.

To begin enforcing App Check token requirements in your callable Cloud Functions, modify your functions to check for valid App Check tokens, as shown below. Once you enable enforcement, all unverified requests will be rejected.

  1. Update your project's firebase-functions dependency to version 4.0.0 or newer:

    npm install firebase-functions@">=4.0.0"

    And update your project's firebase-admin dependency to version 9.8.0 or newer:

    npm install firebase-admin@">=9.8.0"

  2. Set the enforceAppCheck runtime option for your function to true:

    exports.yourCallableFunction = functions.
  .runWith({
    enforceAppCheck: true  // Requests without valid App Check tokens will be rejected.
  })
  .https.onCall((data, context) => {
    // Your function logic follows.
  });

  3. Add a check for context.app to your function. Your function should fail if context.app isn't defined.

    exports.yourCallableFunction = functions.https.onCall((data, context) => {
  // context.app will be undefined if the request doesn't include an
  // App Check token. (If the request includes an invalid App Check
  // token, the request will be rejected with HTTP error 401.)
  if (context.app == undefined) {
    throw new functions.https.HttpsError(
        'failed-precondition',
        'The function must be called from an App Check verified app.')
  }

  // Your function logic follows.
});

  4. Redeploy your functions:

    firebase deploy --only functions

Once these changes are deployed, your callable Cloud Functions will require valid App Check tokens. The Cloud Functions client SDKs automatically attach an App Check token when you invoke a callable function.