Verify App Check tokens from a custom backend

You can protect your app's non-Firebase resources, such as self-hosted backends, with App Check. To do so, you will need to do both of the following:

  • Modify your app client to send an App Check token along with each request to your backend, as described on the pages for iOS+, Android, and web.
  • Modify your backend to require a valid App Check token with every request, as described on this page.

Before you begin

If you haven't already installed the Node.js Admin SDK, do so.

Verify tokens

To verify App Check tokens on your backend, add logic to your API endpoints that does the following:

  • Check that each request include an App Check token.

  • Verify the App Check token using the Admin SDK's appCheck().verifyToken() method.

    If verification succeeds, verifyToken() returns the decoded App Check token. Successful verification indicates the token originated from an app belonging to your Firebase project.

Reject any request that fails either check. For example, using Express.js middleware:

const express = require('express');
const app = express();

const firebaseAdmin = require('firebase-admin');
const firebaseApp = firebaseAdmin.initializeApp();

const appCheckVerification = async (req, res, next) => {
    const appCheckToken = req.header('X-Firebase-AppCheck');

    if (!appCheckToken) {
        return next('Unauthorized');

    try {
        const appCheckClaims = await firebaseAdmin.appCheck().verifyToken(appCheckToken);

        // If verifyToken() succeeds, continue with the next middleware
        // function in the stack.
        return next();
    } catch (err) {
        return next('Unauthorized');

app.get('/yourApiEndpoint', [appCheckVerification], (req, res) => {
    // Handle request.