Enable App Check enforcement for Cloud Functions

To begin enforcing App Check token requirements in your callable Cloud Functions, modify your functions to check for valid App Check tokens.

Before you begin

Enable App Check in your Apple, Android, and Web clients.

Add App Check support to a function

  1. Update your project's firebase-functions dependency to version 3.14.0 or newer:

    npm install firebase-functions@">=3.14.0"

    And update your project's firebase-admin dependency to version 9.8.0 or newer:

    npm install firebase-admin@">=9.8.0"
  2. Add a check for context.app to your function. Your function should fail if context.app isn't defined.

    exports.yourCallableFunction = functions.https.onCall((data, context) => {
      // context.app will be undefined if the request doesn't include an
      // App Check token. (If the request includes an invalid App Check
      // token, the request will be rejected with HTTP error 401.)
      if (context.app == undefined) {
        throw new functions.https.HttpsError(
            'The function must be called from an App Check verified app.')
      // Your function logic follows.
  3. (Optional) If you want to handle invalid App Check tokens with your own logic (for example, if you want to temporarily log, rather than reject, invalid requests before enabling full enforcement), set allowInvalidAppCheckToken to true:

    exports.yourCallableFunction = functions.
        allowInvalidAppCheckToken: true  // Opt-out: Requests with invalid App
                                         // Check tokens continue to your code.
      .https.onCall((data, context) => {
        // Now, requests with an invalid App Check token are not rejected.
        // context.app will be undefined if the request:
        //   1) Does not include an App Check token
        //   2) Includes an invalid App Check token
        if (context.app == undefined) {
          // You can inspect the raw request header to check whether an App
          // Check token was provided in the request. If you're not ready to
          // fully enable App Check yet, you could log these conditions instead
          // of throwing errors.
          const rawToken = context.rawRequest.header['X-Firebase-AppCheck'];
          if (rawToken == undefined) {
            throw new functions.https.HttpsError(
                'The function must be called from an App Check verified app.'
          } else {
            throw new functions.https.HttpsError(
                'Provided App Check token failed to validate.'
        // Your function logic follows.

    To enable full App Check protection, set allowInvalidAppCheckToken to false.

  4. Redeploy your functions:

    firebase deploy --only functions

Once these changes are deployed, your callable Cloud Functions will require valid App Check tokens. The Cloud Functions client SDKs automatically attach an App Check token when you invoke a callable function.