
Firebase Admin SDK 提供了一种 API,可让您以更高的权限来管理 Firebase Authentication 用户。通过此管理员用户管理 API,您可以在安全的服务器环境中以编程方式完成以下任务:

  • 创建新用户,且不受数量和速率限制。
  • 按不同的条件(如 uid、电子邮件地址或电话号码)查找用户。
  • 批量列出指定项目的所有用户。
  • 访问用户元数据,包括账号创建日期和上次登录日期。
  • 删除用户(不需要获取用户当前使用的密码)。
  • 更新用户属性(包括密码),且不需要以该用户身份登录。
  • 验证电子邮件,而无需执行验证电子邮件的带外操作流程。
  • 更改用户的电子邮件地址,而无需发送用于撤消更改的电子邮件链接。
  • 使用电话号码创建新用户,而无需通过短信验证流程。
  • 更改用户的电话号码,而无需通过短信验证流程。
  • 在离线状态下配置用户并将其设为停用状态,然后控制何时启用这些用户。
  • 针对特定应用的用户管理系统构建自定义用户控制台。


如需使用由 Firebase Admin SDK 提供的用户管理 API,您必须有服务账号。请参阅设置说明,详细了解如何初始化 Admin SDK。


识别用户的主要方式是通过其 uid,即该用户的唯一标识符。Admin SDK 提供了一种方法,可通过用户的 uid 获取其个人资料信息:

  .then((userRecord) => {
    // See the UserRecord reference doc for the contents of userRecord.
    console.log(`Successfully fetched user data: ${userRecord.toJSON()}`);
  .catch((error) => {
    console.log('Error fetching user data:', error);
UserRecord userRecord = FirebaseAuth.getInstance().getUser(uid);
// See the UserRecord reference doc for the contents of userRecord.
System.out.println("Successfully fetched user data: " + userRecord.getUid());
from firebase_admin import auth

user = auth.get_user(uid)
print('Successfully fetched user data: {0}'.format(user.uid))
// Get an auth client from the firebase.App
client, err := app.Auth(ctx)
if err != nil {
	log.Fatalf("error getting Auth client: %v\n", err)

u, err := client.GetUser(ctx, uid)
if err != nil {
	log.Fatalf("error getting user %s: %v\n", uid, err)
log.Printf("Successfully fetched user data: %v\n", u)
UserRecord userRecord = await FirebaseAuth.DefaultInstance.GetUserAsync(uid);
// See the UserRecord reference doc for the contents of userRecord.
Console.WriteLine($"Successfully fetched user data: {userRecord.Uid}");

此方法会返回与提供给它的 uid 对应的用户的 UserRecord 对象。

如果提供的 uid 不属于现有用户,或由于其他原因无法提取用户,则上述方法会抛出错误。如需查看错误代码的完整列表(包括说明和解决步骤),请参阅 Admin Auth API 错误

在某些情况下,您会收到用户的电子邮件地址,而不是其 uid。Firebase Admin SDK 支持使用电子邮件地址查找用户信息:

  .then((userRecord) => {
    // See the UserRecord reference doc for the contents of userRecord.
    console.log(`Successfully fetched user data: ${userRecord.toJSON()}`);
  .catch((error) => {
    console.log('Error fetching user data:', error);
UserRecord userRecord = FirebaseAuth.getInstance().getUserByEmail(email);
// See the UserRecord reference doc for the contents of userRecord.
System.out.println("Successfully fetched user data: " + userRecord.getEmail());
from firebase_admin import auth

user = auth.get_user_by_email(email)
print('Successfully fetched user data: {0}'.format(user.uid))
u, err := client.GetUserByEmail(ctx, email)
if err != nil {
	log.Fatalf("error getting user by email %s: %v\n", email, err)
log.Printf("Successfully fetched user data: %v\n", u)
UserRecord userRecord = await FirebaseAuth.DefaultInstance.GetUserByEmailAsync(email);
// See the UserRecord reference doc for the contents of userRecord.
Console.WriteLine($"Successfully fetched user data: {userRecord.Uid}");

此方法会返回与所提供电子邮件地址对应的用户的 UserRecord 对象。

如果提供的电子邮件地址不属于现有用户,或者由于任何其他原因无法提取用户,则 Admin SDK 会抛出错误。如需查看错误代码的完整列表(包括说明和解决步骤),请参阅 Admin Authentication API 错误

在其他情况下,您可以使用用户的电话号码而不是其 uid。Firebase Admin SDK 支持使用电话号码查找用户信息:

  .then((userRecord) => {
    // See the UserRecord reference doc for the contents of userRecord.
    console.log(`Successfully fetched user data:  ${userRecord.toJSON()}`);
  .catch((error) => {
    console.log('Error fetching user data:', error);
UserRecord userRecord = FirebaseAuth.getInstance().getUserByPhoneNumber(phoneNumber);
// See the UserRecord reference doc for the contents of userRecord.
System.out.println("Successfully fetched user data: " + userRecord.getPhoneNumber());
from firebase_admin import auth

user = auth.get_user_by_phone_number(phone)
print('Successfully fetched user data: {0}'.format(user.uid))
u, err := client.GetUserByPhoneNumber(ctx, phone)
if err != nil {
	log.Fatalf("error getting user by phone %s: %v\n", phone, err)
log.Printf("Successfully fetched user data: %v\n", u)
UserRecord userRecord = await FirebaseAuth.DefaultInstance.GetUserByPhoneNumberAsync(phoneNumber);
// See the UserRecord reference doc for the contents of userRecord.
Console.WriteLine($"Successfully fetched user data: {userRecord.Uid}");

此方法会返回与所提供电话号码对应的用户的 UserRecord 对象。

如果提供的电话号码不属于现有用户,或者由于任何其他原因无法获取用户,则 Admin SDK 会抛出错误。如需查看错误代码的完整列表(包括说明和解决步骤),请参阅 Admin Authentication API 错误


Firebase Admin SDK 还支持根据您提供的标识符检索用户列表。您可以按用户 ID、电子邮件地址或电话号码来识别用户。一次调用最多可提供 100 个标识符, 其中可同时包含多种类型:

    { uid: 'uid1' },
    { email: 'user2@example.com' },
    { phoneNumber: '+15555550003' },
    { providerId: 'google.com', providerUid: 'google_uid4' },
  .then((getUsersResult) => {
    console.log('Successfully fetched user data:');
    getUsersResult.users.forEach((userRecord) => {

    console.log('Unable to find users corresponding to these identifiers:');
    getUsersResult.notFound.forEach((userIdentifier) => {
  .catch((error) => {
    console.log('Error fetching user data:', error);
GetUsersResult result = FirebaseAuth.getInstance().getUsersAsync(Arrays.asList(
    new UidIdentifier("uid1"),
    new EmailIdentifier("user2@example.com"),
    new PhoneIdentifier("+15555550003"),
    new ProviderIdentifier("google.com", "google_uid4"))).get();

System.out.println("Successfully fetched user data:");
for (UserRecord user : result.getUsers()) {

System.out.println("Unable to find users corresponding to these identifiers:");
for (UserIdentifier uid : result.getNotFound()) {
from firebase_admin import auth

result = auth.get_users([
    auth.ProviderIdentifier('google.com', 'google_uid4')

print('Successfully fetched user data:')
for user in result.users:

print('Unable to find users corresponding to these identifiers:')
for uid in result.not_found:
getUsersResult, err := client.GetUsers(ctx, []auth.UserIdentifier{
	auth.UIDIdentifier{UID: "uid1"},
	auth.EmailIdentifier{Email: "user@example.com"},
	auth.PhoneIdentifier{PhoneNumber: "+15555551234"},
	auth.ProviderIdentifier{ProviderID: "google.com", ProviderUID: "google_uid1"},
if err != nil {
	log.Fatalf("error retriving multiple users: %v\n", err)

log.Printf("Successfully fetched user data:")
for _, u := range getUsersResult.Users {
	log.Printf("%v", u)

log.Printf("Unable to find users corresponding to these identifiers:")
for _, id := range getUsersResult.NotFound {
	log.Printf("%v", id)
GetUsersResult result = await FirebaseAuth.DefaultInstance.GetUsersAsync(
    new List<UserIdentifier>
        new UidIdentifier("uid1"),
        new EmailIdentifier("user2@example.com"),
        new PhoneIdentifier("+15555550003"),
        new ProviderIdentifier("google.com", "google_uid4"),

Console.WriteLine("Successfully fetched user data:");
foreach (UserRecord user in result.Users)
    Console.WriteLine($"User: {user.Uid}");

Console.WriteLine("Unable to find users corresponding to these identifiers:");
foreach (UserIdentifier uid in result.NotFound)

此方法会返回一个与输入列表大小相同的列表,其中每个条目都包含相应的 UserRecord 或错误消息,错误消息会说明无法查找相关标识符的原因。如需查看错误代码的完整列表(包括说明和解决步骤),请参阅 Admin Authentication API 错误


Admin SDK 提供了一种方法,让您能够创建新的 Firebase Authentication 用户。此方法接受包含个人资料信息的对象,这些信息会添加到新创建的用户账号中:

    email: 'user@example.com',
    emailVerified: false,
    phoneNumber: '+11234567890',
    password: 'secretPassword',
    displayName: 'John Doe',
    photoURL: 'http://www.example.com/12345678/photo.png',
    disabled: false,
  .then((userRecord) => {
    // See the UserRecord reference doc for the contents of userRecord.
    console.log('Successfully created new user:', userRecord.uid);
  .catch((error) => {
    console.log('Error creating new user:', error);
CreateRequest request = new CreateRequest()
    .setDisplayName("John Doe")

UserRecord userRecord = FirebaseAuth.getInstance().createUser(request);
System.out.println("Successfully created new user: " + userRecord.getUid());
user = auth.create_user(
    display_name='John Doe',
print('Sucessfully created new user: {0}'.format(user.uid))
params := (&auth.UserToCreate{}).
	DisplayName("John Doe").
u, err := client.CreateUser(ctx, params)
if err != nil {
	log.Fatalf("error creating user: %v\n", err)
log.Printf("Successfully created user: %v\n", u)
UserRecordArgs args = new UserRecordArgs()
    Email = "user@example.com",
    EmailVerified = false,
    PhoneNumber = "+11234567890",
    Password = "secretPassword",
    DisplayName = "John Doe",
    PhotoUrl = "http://www.example.com/12345678/photo.png",
    Disabled = false,
UserRecord userRecord = await FirebaseAuth.DefaultInstance.CreateUserAsync(args);
// See the UserRecord reference doc for the contents of userRecord.
Console.WriteLine($"Successfully created new user: {userRecord.Uid}");

默认情况下,Firebase Authentication 会为新用户生成随机 uid。如果您希望自行为新用户指定 uid,则可以将其作为参数传递给用户创建方法:

    uid: 'some-uid',
    email: 'user@example.com',
    phoneNumber: '+11234567890',
  .then((userRecord) => {
    // See the UserRecord reference doc for the contents of userRecord.
    console.log('Successfully created new user:', userRecord.uid);
  .catch((error) => {
    console.log('Error creating new user:', error);
CreateRequest request = new CreateRequest()

UserRecord userRecord = FirebaseAuth.getInstance().createUser(request);
System.out.println("Successfully created new user: " + userRecord.getUid());
user = auth.create_user(
    uid='some-uid', email='user@example.com', phone_number='+15555550100')
print('Sucessfully created new user: {0}'.format(user.uid))
params := (&auth.UserToCreate{}).
u, err := client.CreateUser(ctx, params)
if err != nil {
	log.Fatalf("error creating user: %v\n", err)
log.Printf("Successfully created user: %v\n", u)
UserRecordArgs args = new UserRecordArgs()
    Uid = "some-uid",
    Email = "user@example.com",
    PhoneNumber = "+11234567890",
UserRecord userRecord = await FirebaseAuth.DefaultInstance.CreateUserAsync(args);
// See the UserRecord reference doc for the contents of userRecord.
Console.WriteLine($"Successfully created new user: {userRecord.Uid}");


表 1. 创建用户操作支持的属性

属性 类型 说明
uid 字符串 要分配给新创建的用户的 uid。必须是包含 1 到 128 个字符的字符串(含 1 和 128)。如果未提供,系统会自动生成随机 uiduid 越短,应用性能就越好。
email 字符串 用户的主电子邮件。必须是有效的电子邮件地址。
emailVerified 布尔值 用户的主电子邮件是否通过验证。如果未提供,则默认值为 false
phoneNumber 字符串 用户的主电话号码。必须是符合 E.164 规范的有效电话号码。
password 字符串 用户未经哈希处理的原始密码。必须至少包含六个字符。
displayName 字符串 用户的显示名。
photoURL 字符串 用户的照片网址。
disabled 布尔值 用户是否已被停用。true 表示已被停用;false 表示已被启用。如果未提供,则默认值为 false

用户创建方法会为新创建的用户返回一个 UserRecord 对象。

如果提供的 uid、电子邮件地址或电话号码已被现有用户使用,或由于其他原因无法创建用户,则上述方法会失败并返回错误。如需查看错误代码的完整列表(包括说明和解决步骤),请参阅 Admin Authentication API 错误


Firebase Admin SDK 可用于修改现有用户的数据。您需要指定 uid 以及要为该用户更新的属性:

  .updateUser(uid, {
    email: 'modifiedUser@example.com',
    phoneNumber: '+11234567890',
    emailVerified: true,
    password: 'newPassword',
    displayName: 'Jane Doe',
    photoURL: 'http://www.example.com/12345678/photo.png',
    disabled: true,
  .then((userRecord) => {
    // See the UserRecord reference doc for the contents of userRecord.
    console.log('Successfully updated user', userRecord.toJSON());
  .catch((error) => {
    console.log('Error updating user:', error);
UpdateRequest request = new UpdateRequest(uid)
    .setDisplayName("Jane Doe")

UserRecord userRecord = FirebaseAuth.getInstance().updateUser(request);
System.out.println("Successfully updated user: " + userRecord.getUid());
user = auth.update_user(
    display_name='John Doe',
print('Sucessfully updated user: {0}'.format(user.uid))
params := (&auth.UserToUpdate{}).
	DisplayName("John Doe").
u, err := client.UpdateUser(ctx, uid, params)
if err != nil {
	log.Fatalf("error updating user: %v\n", err)
log.Printf("Successfully updated user: %v\n", u)
UserRecordArgs args = new UserRecordArgs()
    Uid = uid,
    Email = "modifiedUser@example.com",
    PhoneNumber = "+11234567890",
    EmailVerified = true,
    Password = "newPassword",
    DisplayName = "Jane Doe",
    PhotoUrl = "http://www.example.com/12345678/photo.png",
    Disabled = true,
UserRecord userRecord = await FirebaseAuth.DefaultInstance.UpdateUserAsync(args);
// See the UserRecord reference doc for the contents of userRecord.
Console.WriteLine($"Successfully updated user: {userRecord.Uid}");


表 2. 更新用户操作支持的属性

属性 类型 说明
email 字符串 用户新的主电子邮件。必须是有效的电子邮件地址。
emailVerified 布尔值 用户的主电子邮件是否通过验证。如果未提供,则默认值为 false
phoneNumber 字符串 用户新的主电话号码。必须是符合 E.164 规范的有效电话号码。设置为 null 可清除用户现有的电话号码。
password 字符串 用户的新密码(原始且未经哈希处理)。必须至少包含六个字符。
displayName 字符串 | null 用户的新显示名。设置为 null 可清除用户现有的显示名。
photoURL 字符串 | null 用户的新照片网址。设置为 null 可清除用户的现有照片网址。如果不是 null,则必须提供一个有效的网址。
disabled 布尔值 用户是否已被停用。true 表示已停用;false 表示已启用。

更新用户方法会在更新成功完成时返回已更新的 UserRecord 对象。

如果提供的 uid 与现有用户不符,所提供的电子邮件地址或电话号码已被现有用户使用,或者由于任何其他原因无法更新用户,则上述方法将失败并报告错误。如需查看错误代码的完整列表(包括说明和解决步骤),请参阅 Admin Authentication API 错误


Firebase Admin SDK 允许通过现有用户的 uid 将其删除:

  .then(() => {
    console.log('Successfully deleted user');
  .catch((error) => {
    console.log('Error deleting user:', error);
System.out.println("Successfully deleted user.");
print('Successfully deleted user')
err := client.DeleteUser(ctx, uid)
if err != nil {
	log.Fatalf("error deleting user: %v\n", err)
log.Printf("Successfully deleted user: %s\n", uid)
await FirebaseAuth.DefaultInstance.DeleteUserAsync(uid);
Console.WriteLine("Successfully deleted user.");


如果提供的 uid 不对应任何现有用户,或由于其他原因而无法删除用户,则删除用户方法会抛出错误。如需查看错误代码的完整列表(包括说明和解决步骤),请参阅 Admin Authentication API 错误


Firebase Admin SDK 还可一次删除多个用户。但请注意,使用 deleteUsers(uids) 等方法一次删除多个用户不会为 Cloud Functions for Firebase 触发 onDelete() 事件处理脚本。这是因为批量删除不会触发针对各个用户的用户删除事件。如果您希望针对删除的每个用户触发用户删除事件,请逐个删除用户。

  .deleteUsers([uid1, uid2, uid3])
  .then((deleteUsersResult) => {
    console.log(`Successfully deleted ${deleteUsersResult.successCount} users`);
    console.log(`Failed to delete ${deleteUsersResult.failureCount} users`);
    deleteUsersResult.errors.forEach((err) => {
  .catch((error) => {
    console.log('Error deleting users:', error);
DeleteUsersResult result = FirebaseAuth.getInstance().deleteUsersAsync(
    Arrays.asList("uid1", "uid2", "uid3")).get();

System.out.println("Successfully deleted " + result.getSuccessCount() + " users");
System.out.println("Failed to delete " + result.getFailureCount() + " users");
for (ErrorInfo error : result.getErrors()) {
  System.out.println("error #" + error.getIndex() + ", reason: " + error.getReason());
from firebase_admin import auth

result = auth.delete_users(["uid1", "uid2", "uid3"])

print('Successfully deleted {0} users'.format(result.success_count))
print('Failed to delete {0} users'.format(result.failure_count))
for err in result.errors:
    print('error #{0}, reason: {1}'.format(result.index, result.reason))
deleteUsersResult, err := client.DeleteUsers(ctx, []string{"uid1", "uid2", "uid3"})
if err != nil {
	log.Fatalf("error deleting users: %v\n", err)

log.Printf("Successfully deleted %d users", deleteUsersResult.SuccessCount)
log.Printf("Failed to delete %d users", deleteUsersResult.FailureCount)
for _, err := range deleteUsersResult.Errors {
	log.Printf("%v", err)
DeleteUsersResult result = await FirebaseAuth.DefaultInstance.DeleteUsersAsync(new List<string>

Console.WriteLine($"Successfully deleted {result.SuccessCount} users.");
Console.WriteLine($"Failed to delete {result.FailureCount} users.");

foreach (ErrorInfo err in result.Errors)
    Console.WriteLine($"Error #{err.Index}, reason: {err.Reason}");

对于无法删除的用户,“删除用户”方法会返回失败列表。如需查看错误代码的完整列表(包括说明和解决步骤),请参阅 Admin Authentication API 错误


Firebase Admin SDK 支持批量检索完整的用户列表:

const listAllUsers = (nextPageToken) => {
  // List batch of users, 1000 at a time.
    .listUsers(1000, nextPageToken)
    .then((listUsersResult) => {
      listUsersResult.users.forEach((userRecord) => {
        console.log('user', userRecord.toJSON());
      if (listUsersResult.pageToken) {
        // List next batch of users.
    .catch((error) => {
      console.log('Error listing users:', error);
// Start listing users from the beginning, 1000 at a time.
// Start listing users from the beginning, 1000 at a time.
ListUsersPage page = FirebaseAuth.getInstance().listUsers(null);
while (page != null) {
  for (ExportedUserRecord user : page.getValues()) {
    System.out.println("User: " + user.getUid());
  page = page.getNextPage();

// Iterate through all users. This will still retrieve users in batches,
// buffering no more than 1000 users in memory at a time.
page = FirebaseAuth.getInstance().listUsers(null);
for (ExportedUserRecord user : page.iterateAll()) {
  System.out.println("User: " + user.getUid());
# Start listing users from the beginning, 1000 at a time.
page = auth.list_users()
while page:
    for user in page.users:
        print('User: ' + user.uid)
    # Get next batch of users.
    page = page.get_next_page()

# Iterate through all users. This will still retrieve users in batches,
# buffering no more than 1000 users in memory at a time.
for user in auth.list_users().iterate_all():
    print('User: ' + user.uid)
// Note, behind the scenes, the Users() iterator will retrive 1000 Users at a time through the API
iter := client.Users(ctx, "")
for {
	user, err := iter.Next()
	if err == iterator.Done {
	if err != nil {
		log.Fatalf("error listing users: %s\n", err)
	log.Printf("read user user: %v\n", user)

// Iterating by pages 100 users at a time.
// Note that using both the Next() function on an iterator and the NextPage()
// on a Pager wrapping that same iterator will result in an error.
pager := iterator.NewPager(client.Users(ctx, ""), 100, "")
for {
	var users []*auth.ExportedUserRecord
	nextPageToken, err := pager.NextPage(&users)
	if err != nil {
		log.Fatalf("paging error %v\n", err)
	for _, u := range users {
		log.Printf("read user user: %v\n", u)
	if nextPageToken == "" {
// Start listing users from the beginning, 1000 at a time.
var pagedEnumerable = FirebaseAuth.DefaultInstance.ListUsersAsync(null);
var responses = pagedEnumerable.AsRawResponses().GetAsyncEnumerator();
while (await responses.MoveNextAsync())
    ExportedUserRecords response = responses.Current;
    foreach (ExportedUserRecord user in response.Users)
        Console.WriteLine($"User: {user.Uid}");

// Iterate through all users. This will still retrieve users in batches,
// buffering no more than 1000 users in memory at a time.
var enumerator = FirebaseAuth.DefaultInstance.ListUsersAsync(null).GetAsyncEnumerator();
while (await enumerator.MoveNextAsync())
    ExportedUserRecord user = enumerator.Current;
    Console.WriteLine($"User: {user.Uid}");

每批结果都包含一个用户列表和用于列出下一批用户的下一页标记。列出所有用户后,不会再返回 pageToken

如果未指定 maxResults 字段,则每批默认 1000 个用户。这也是一次操作可以列出的最大用户数量。如果值超出该上限,系统就会抛出一个参数错误。如果未指定 pageToken,则操作将从头开始列出用户,按 uid 排序。

如需查看错误代码的完整列表(包括说明和解决步骤),请参阅 Admin Authentication API 错误


如果用于生成请求 OAuth 访问令牌的用户/服务账号拥有 firebaseauth.configs.getHashConfig 权限,则该 API 还会针对密码用户返回由 Firebase Authentication 后端进行了哈希处理的 passwordSaltpasswordHash。否则,将不会设置 passwordHashpasswordSalt

由于密码哈希的敏感性,Firebase Admin SDK 服务账号默认不具有 firebaseauth.configs.getHashConfig 权限。您无法直接向用户/服务账号添加权限,但您可以通过创建自定义 IAM 角色实现这一目的。

若要创建自定义 IAM 角色,请执行以下操作:

  1. Google Cloud 控制台中前往 IAM 和管理面板中的角色页面。
  2. 从页面顶部的下拉列表中选择您的项目。
  3. 点击创建角色
  4. 点击添加权限
  5. 搜索 firebaseauth.configs.getHashConfig 权限并选中该复选框。
  6. 点击添加
  7. 点击创建,完成新角色的创建。

在 IAM 页面中将创建的自定义角色添加到用户/服务账号:

  1. IAM 和管理面板中,选择 IAM
  2. 从成员列表中选择要修改的服务账号或用户账号。
  3. 点击添加其他角色
  4. 搜索之前创建的新自定义角色。
  5. 点击保存