Firebase App Check

App Check helps protect your backend resources from abuse, such as billing fraud and phishing. It works with both Firebase services and your own backends to keep your resources safe.

With App Check, devices running your app will use an app or device attestation provider that attests to one or both of the following:

  • Requests originate from your authentic app
  • Requests originate from an authentic, untampered device

This attestation is attached to every request your app makes to your Firebase backend resources.

App Check has built-in support for using the following services as attestation providers:

If these are insufficient for your needs, you can also implement your own service that uses either a third-party attestation provider or your own attestation techniques.

App Check currently works with the following Firebase products:

  • Realtime Database
  • Cloud Storage
  • Cloud Functions (callable functions)

Get started with DeviceCheck on iOS Get started with App Attest on iOS

Get started on Android

Get started on web apps

You can also use App Check to protect your non-Firebase backend resources:

iOS Android Web

How does it work?

When you enable App Check for a service and include the client SDK in your app, the following happens periodically:

  1. Your app interacts with the provider of your choice to obtain an attestation of the app or device's authenticity (or both, depending on the provider).
  2. The attestation is sent to the App Check server, which verifies the validity of the attestation using parameters registered with the app, and returns to your app an App Check token with an expiration time. This token might retain some information about the attestation material it verified.
  3. The App Check client SDK caches the token in your app, ready to be sent along with any requests your app makes to protected services.

A service protected by App Check only accepts requests accompanied by a current, valid App Check token.

How strong is the security provided by App Check?

App Check relies on the strength of its attestation providers to determine app or device authenticity. It prevents some, but not all, abuse vectors directed towards your backends. Using App Check does not guarantee the elimination of all abuse, but by integrating with App Check, you are taking an important step towards abuse protection for your backend resources.

App Check and Firebase Authentication are complementary parts of your app security story. Firebase Authentication provides user authentication, which protects your users, whereas App Check provides attestation of app or device authenticity, which protects you, the developer. App Check guards access to your Firebase resources and custom backends by requiring API calls to contain a valid Firebase App Check token. These two concepts work together to help secure your app.

Quotas & limits

Your use of App Check is subject to the quotas and limits of the attestation providers you use.

  • DeviceCheck access is subject to any quotas or limitations set by Apple.

  • SafetyNet has a daily quota of 10,000 calls. For information on requesting a quota increase, see the SafetyNet documentation.

  • reCAPTCHA v3 has a monthly quota of 1 million calls, as well as a 1,000 QPS limit. For information on requesting a quota increase, see the reCAPTCHA documentation.

Get started

Ready to get started?

Get started with DeviceCheck on iOS Get started with App Attest on iOS

Get started on Android

Get started on web apps

Get started with custom providers

Learn how to use App Check to protect your non-Firebase backend resources:

iOS Android Web