When you understand how App Check will affect your users and you're ready to proceed, you can enable App Check enforcement.
To begin enforcing App Check token requirements in your callable Cloud Functions, modify your functions to check for valid App Check tokens, as shown below. Once you enable enforcement, all unverified requests will be rejected.
Update your project's
firebase-functions
dependency to version 4.0.0 or newer:npm install firebase-functions@">=4.0.0"
And update your project's
firebase-admin
dependency to version 9.8.0 or newer:npm install firebase-admin@">=9.8.0"
Set the
enforceAppCheck
runtime option for your function totrue
:exports.yourCallableFunction = functions. .runWith({ enforceAppCheck: true // Requests without valid App Check tokens will be rejected. }) .https.onCall((data, context) => { // Your function logic follows. });
Add a check for
context.app
to your function. Your function should fail ifcontext.app
isn't defined.exports.yourCallableFunction = functions.https.onCall((data, context) => { // context.app will be undefined if the request doesn't include an // App Check token. (If the request includes an invalid App Check // token, the request will be rejected with HTTP error 401.) if (context.app == undefined) { throw new functions.https.HttpsError( 'failed-precondition', 'The function must be called from an App Check verified app.') } // Your function logic follows. });
Redeploy your functions:
firebase deploy --only functions
Once these changes are deployed, your callable Cloud Functions will require valid App Check tokens. The Cloud Functions client SDKs automatically attach an App Check token when you invoke a callable function.