Join us in person and online for Firebase Summit on October 18, 2022. Learn how Firebase can help you accelerate app development, release your app with confidence, and scale with ease. Register now

Enable App Check enforcement for Cloud Functions

Stay organized with collections Save and categorize content based on your preferences.

When you understand how App Check will affect your users and you're ready to proceed, you can enable App Check enforcement.

To begin enforcing App Check token requirements in your callable Cloud Functions, modify your functions to check for valid App Check tokens, as shown below. Once you enable enforcement, all unverified requests will be rejected.

  1. Update your project's firebase-functions dependency to version 3.14.0 or newer:

    npm install firebase-functions@">=3.14.0"
    

    And update your project's firebase-admin dependency to version 9.8.0 or newer:

    npm install firebase-admin@">=9.8.0"
    
  2. Add a check for context.app to your function. Your function should fail if context.app isn't defined.

    exports.yourCallableFunction = functions.https.onCall((data, context) => {
      // context.app will be undefined if the request doesn't include an
      // App Check token. (If the request includes an invalid App Check
      // token, the request will be rejected with HTTP error 401.)
      if (context.app == undefined) {
        throw new functions.https.HttpsError(
            'failed-precondition',
            'The function must be called from an App Check verified app.')
      }
    
      // Your function logic follows.
    });
    
  3. (Optional) If you want to handle invalid App Check tokens with your own logic (for example, if you want to temporarily log, rather than reject, invalid requests before enabling full enforcement), set allowInvalidAppCheckToken to true:

    exports.yourCallableFunction = functions.
      .runWith({
        allowInvalidAppCheckToken: true  // Opt-out: Requests with invalid App
                                         // Check tokens continue to your code.
      })
      .https.onCall((data, context) => {
        // Now, requests with an invalid App Check token are not rejected.
        //
        // context.app will be undefined if the request:
        //   1) Does not include an App Check token
        //   2) Includes an invalid App Check token
        if (context.app == undefined) {
          // You can inspect the raw request header to check whether an App
          // Check token was provided in the request. If you're not ready to
          // fully enable App Check yet, you could log these conditions instead
          // of throwing errors.
          const rawToken = context.rawRequest.header['X-Firebase-AppCheck'];
          if (rawToken == undefined) {
            throw new functions.https.HttpsError(
                'failed-precondition',
                'The function must be called from an App Check verified app.'
            );
          } else {
            throw new functions.https.HttpsError(
                'unauthenticated',
                'Provided App Check token failed to validate.'
            );
          }
        }
    
        // Your function logic follows.
      });
    

    To enable full App Check protection, set allowInvalidAppCheckToken to false.

  4. Redeploy your functions:

    firebase deploy --only functions
    

Once these changes are deployed, your callable Cloud Functions will require valid App Check tokens. The Cloud Functions client SDKs automatically attach an App Check token when you invoke a callable function.