앱 클라이언트에서 각 요청 전에 appCheck().getToken()으로 유효하고 만료되지 않은 App Check 토큰을 가져옵니다. 필요한 경우 App Check 라이브러리가 토큰을 새로고침합니다.
유효한 토큰이 있으면 요청과 함께 백엔드에 전송합니다. 이 작업을 실행하는 방법은 개발자에게 달려 있지만, 쿼리 파라미터에 포함되는 URL의 일부로 App Check 토큰을 전송해서는 안 됩니다. 실수로 인한 유출 및 가로채기에 취약하기 때문입니다. 다음 예시에서는 권장되는 방식인 커스텀 HTTP 헤더에서 토큰을 전송합니다.
Web
import{initializeAppCheck,getToken}from'firebase/app-check';constappCheck=initializeAppCheck(app,{provider:provider}// ReCaptchaV3Provider or CustomProvider);constcallApiWithAppCheckExample=async()=>{letappCheckTokenResponse;try{appCheckTokenResponse=awaitgetToken(appCheck,/* forceRefresh= */false);}catch(err){// Handle any errors if the token was not retrieved.return;}// Include the App Check token with requests to your server.constapiResponse=awaitfetch('https://yourbackend.example.com/yourApiEndpoint',{headers:{'X-Firebase-AppCheck':appCheckTokenResponse.token,}});// Handle response from your backend.};
constcallApiWithAppCheckExample=async()=>{letappCheckTokenResponse;try{appCheckTokenResponse=awaitfirebase.appCheck().getToken(/* forceRefresh= */false);}catch(err){// Handle any errors if the token was not retrieved.return;}// Include the App Check token with requests to your server.constapiResponse=awaitfetch('https://yourbackend.example.com/yourApiEndpoint',{headers:{'X-Firebase-AppCheck':appCheckTokenResponse.token,}});// Handle response from your backend.};
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["필요한 정보가 없음","missingTheInformationINeed","thumb-down"],["너무 복잡함/단계 수가 너무 많음","tooComplicatedTooManySteps","thumb-down"],["오래됨","outOfDate","thumb-down"],["번역 문제","translationIssue","thumb-down"],["샘플/코드 문제","samplesCodeIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[],[],null,["You can use App Check to protect non-Google custom backend resources for\nyour app, like your own self-hosted backend. To do so, you'll need to do both of\nthe following:\n\n- Modify your app client to send an App Check token along with each request to your backend, as described on this page.\n- Modify your backend to require a valid App Check token with every request, as described in [Verify App Check tokens from a custom backend](/docs/app-check/custom-resource-backend).\n\nBefore you begin\n\nAdd App Check to your app, using either the\n[reCAPTCHA Enterprise provider](/docs/app-check/web/recaptcha-enterprise-provider)\nor a [custom provider](/docs/app-check/web/custom-provider).\n\nSend App Check tokens with backend requests\n\nIn your app client, before each request, get a valid, unexpired, App Check\ntoken with `appCheck().getToken()`. The App Check library will refresh the\ntoken if necessary.\n\nOnce you have a valid token, send it along with the request to your backend. The\nspecifics of how you accomplish this are up to you, but *don't send\nApp Check tokens as part of URLs*, including in query parameters, as this\nmakes them vulnerable to accidental leakage and interception. The following\nexample sends the token in a custom HTTP header, which is the recommended\napproach. \n\nWeb \n\n```javascript\nimport { initializeAppCheck, getToken } from 'firebase/app-check';\n\nconst appCheck = initializeAppCheck(\n app,\n { provider: provider } // ReCaptchaV3Provider or CustomProvider\n);\n\nconst callApiWithAppCheckExample = async () =\u003e {\n let appCheckTokenResponse;\n try {\n appCheckTokenResponse = await getToken(appCheck, /* forceRefresh= */ false);\n } catch (err) {\n // Handle any errors if the token was not retrieved.\n return;\n }\n\n // Include the App Check token with requests to your server.\n const apiResponse = await fetch('https://yourbackend.example.com/yourApiEndpoint', {\n headers: {\n 'X-Firebase-AppCheck': appCheckTokenResponse.token,\n }\n });\n\n // Handle response from your backend.\n};https://github.com/firebase/snippets-web/blob/467eaa165dcbd9b3ab15711e76fa52237ba37f8b/snippets/appcheck-next/index/appcheck_nonfirebase.js#L8-L32\n```\n\nWeb \n\n```javascript\nconst callApiWithAppCheckExample = async () =\u003e {\n let appCheckTokenResponse;\n try {\n appCheckTokenResponse = await firebase.appCheck().getToken(/* forceRefresh= */ false);\n } catch (err) {\n // Handle any errors if the token was not retrieved.\n return;\n }\n\n // Include the App Check token with requests to your server.\n const apiResponse = await fetch('https://yourbackend.example.com/yourApiEndpoint', {\n headers: {\n 'X-Firebase-AppCheck': appCheckTokenResponse.token,\n }\n });\n\n // Handle response from your backend.\n};https://github.com/firebase/snippets-web/blob/467eaa165dcbd9b3ab15711e76fa52237ba37f8b/appcheck/index.js#L68-L85\n```\n\nReplay protection (beta)\n\nWhen making a request to an endpoint for which you've enabled\n[replay protection](/docs/app-check/custom-resource-backend#replay-protection),\nacquire a token using `getLimitedUseToken()` instead of `getToken()`: \n\n import { getLimitedUseToken } from \"firebase/app-check\";\n\n // ...\n\n appCheckTokenResponse = await getLimitedUseToken(appCheck);"]]
