Get started using App Check with a custom provider on Apple platforms

This page shows you how to enable App Check in an Apple app, using your custom App Check provider. When you enable App Check, you help ensure that only your app can access your project's Firebase resources.

If you want to use App Check with the built-in providers, see the docs for App Check with App Attest and App Check with DeviceCheck.

Before you begin

Add Firebase to your Apple project if you haven’t already done so.
Implement your custom App Check provider's server-side logic.

1. Add the App Check library to your app

Add the dependency for App Check to your project's Podfile:
```
pod 'FirebaseAppCheck'
```
Or, alternatively, you can use Swift Package Manager instead.

Also, make sure you're using the latest version of any Firebase service client libraries you depend on.
Run pod install and open the created .xcworkspace file.

2. Implement the App Check protocols

First, you need to create classes that implement the AppCheckProvider and AppCheckProviderFactory protocols.

Your AppCheckProvider class must have a getToken(completion:) method, which collects whatever information your custom App Check provider requires as proof of authenticity, and sends it to your token acquisition service in exchange for an App Check token. The App Check SDK handles token caching, so always get a new token in your implementation of getToken(completion:).

Swift

class YourCustomAppCheckProvider: NSObject, AppCheckProvider {
    var app: FirebaseApp

    init(withFirebaseApp app: FirebaseApp) {
        self.app = app
        super.init()
    }

    func getToken(completion handler: @escaping (AppCheckToken?, Error?) -> Void) {
        DispatchQueue.main.async {
            // Logic to exchange proof of authenticity for an App Check token.
            // ...

            // Create AppCheckToken object.
            let exp = Date(timeIntervalSince1970: expirationFromServer)
            let token = AppCheckToken(
                token: tokenFromServer,
                expirationDate: exp
            )

            // Pass the token or error to the completion handler.
            handler(token, nil)
        }
    }
}

Objective-C

@interface YourCustomAppCheckProvider : NSObject <FIRAppCheckProvider>

@property FIRApp *app;

- (id)initWithApp:(FIRApp *)app;

@end

@implementation YourCustomAppCheckProvider

- (id)initWithApp:app {
    self = [super init];
    if (self) {
        self.app = app;
    }
    return self;
}

- (void)getTokenWithCompletion:(nonnull void (^)(FIRAppCheckToken * _Nullable,
                                                 NSError * _Nullable))handler {
    dispatch_async(dispatch_get_main_queue(), ^{
        // Logic to exchange proof of authenticity for an App Check token.
        // ...

        // Create FIRAppCheckToken object.
        NSTimeInterval exp = expirationFromServer;
        FIRAppCheckToken *token
            = [[FIRAppCheckToken alloc] initWithToken:tokenFromServer
                                       expirationDate:[NSDate dateWithTimeIntervalSince1970:exp]];

        // Pass the token or error to the completion handler.
        handler(token, nil);
    });
}

@end

Also, implement a AppCheckProviderFactory class that creates instances of your AppCheckProvider implementation:

Swift

class YourCustomAppCheckProviderFactory: NSObject, AppCheckProviderFactory {
  func createProvider(with app: FirebaseApp) -> AppCheckProvider? {
    return YourCustomAppCheckProvider(withFirebaseApp: app)
  }
}

Objective-C

@interface YourCustomAppCheckProviderFactory : NSObject <FIRAppCheckProviderFactory>
@end

@implementation YourCustomAppCheckProviderFactory

- (nullable id<FIRAppCheckProvider>)createProviderWithApp:(FIRApp *)app {
    return [[YourCustomAppCheckProvider alloc] initWithApp:app];
}

@end

3. Initialize App Check

Add the following initialization code to your app delegate or app initializer:

Swift

let providerFactory = YourAppCheckProviderFactory()
AppCheck.setAppCheckProviderFactory(providerFactory)

FirebaseApp.configure()

Objective-C

YourAppCheckProviderFactory *providerFactory =
        [[YourAppCheckProviderFactory alloc] init];
[FIRAppCheck setAppCheckProviderFactory:providerFactory];

[FIRApp configure];

Next steps

Once the App Check library is installed in your app, start distributing the updated app to your users.

The updated client app will begin sending App Check tokens along with every request it makes to Firebase, but Firebase products will not require the tokens to be valid until you enable enforcement in the App Check section of the Firebase console.

Monitor metrics and enable enforcement

Before you enable enforcement, however, you should make sure that doing so won't disrupt your existing legitimate users. On the other hand, if you're seeing suspicious use of your app resources, you might want to enable enforcement sooner.

To help make this decision, you can look at App Check metrics for the services you use:

Monitor App Check request metrics for Realtime Database, Cloud Firestore, and Cloud Storage.
Monitor App Check request metrics for Cloud Functions.

Enable App Check enforcement

When you understand how App Check will affect your users and you're ready to proceed, you can enable App Check enforcement:

Enable App Check enforcement for Realtime Database, Cloud Firestore, and Cloud Storage.
Enable App Check enforcement for Cloud Functions.

Use App Check in debug environments

If, after you have registered your app for App Check, you want to run your app in an environment that App Check would normally not classify as valid, such as a simulator during development, or from a continuous integration (CI) environment, you can create a debug build of your app that uses the App Check debug provider instead of a real attestation provider.

See Use App Check with the debug provider on Apple platforms.