如要執行這項操作,您可以從使用 Firebase Authentication 登入的用戶端應用程式擷取 ID 權杖,並在向伺服器提出的要求中加入該權杖。接著,伺服器會驗證 ID 權杖,並擷取可識別使用者的聲明 (包括使用者的 uid、登入時使用的身分識別資訊提供者等)。您的伺服器隨後可使用這項身分資訊,代表使用者執行動作。
Firebase Admin SDK 提供多種方法,可讓您管理使用者、產生自訂權杖及驗證 ID 權杖,完成上述驗證工作。
如果Firebase用戶端應用程式會與後端伺服器通訊,您可能需要在伺服器上識別目前登入的使用者,以便代表他們執行伺服器端邏輯。您可以透過 ID 權杖安全地執行這項操作。當使用者登入應用程式時,Firebase會建立 ID 權杖。ID 權杖符合 OpenID Connect 規格,且包含可識別使用者的資料,以及其他設定檔和驗證相關資訊。Firebase您可以從自己的後端傳送、驗證及檢查這些權杖。這樣一來,您就能安全地識別目前登入的使用者,並授權他們存取自己的後端資源。
Firebase Admin SDK 內建驗證 ID 權杖的方法。您也可以使用第三方程式庫,以任何語言透過程式輔助方式驗證 ID 權杖。如要進一步瞭解 ID 權杖驗證程序,請參閱「驗證 ID 權杖」一文,並查看程式碼範例。
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["缺少我需要的資訊","missingTheInformationINeed","thumb-down"],["過於複雜/步驟過多","tooComplicatedTooManySteps","thumb-down"],["過時","outOfDate","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["示例/程式碼問題","samplesCodeIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-07-25 (世界標準時間)。"],[],[],null,["\u003cbr /\u003e\n\nThe Firebase Admin SDK allows you to integrate your own servers with\nFirebase Authentication. You can use the Firebase Admin SDK to manage your users or to\nmanage authentication tokens. There are a number of reasons you would want to\ndo this:\n\n**User Management**\n\nIt is not always convenient to have to visit the\nFirebase console\n\nto manage your Firebase users. The admin user management API\nprovides programmatic access to those same users. It even allows you to do\nthings the Firebase console\ncannot, such as\nretrieving a user's full data and changing a user's password, email address, or\nphone number.\n\n**Custom Authentication**\n\nYou can integrate an external user system with Firebase. For\nexample, you may already have a pre-existing user database or you may want to\nintegrate with a third-party identity provider that Firebase Authentication doesn't natively\nsupport.\n\nTo do this, you can create custom tokens with arbitrary claims identifying the\nuser. These custom tokens can then be used to sign into the Firebase Authentication service on\na client application and assume the identity described by the token's claims.\nThis identity will then be used when accessing other Firebase\nservices, such as Cloud Storage.\n\n**Identity Verification**\n\nFirebase Authentication is primarily used to identify users of your app in order to restrict\naccess to other services, like Cloud Storage.\nYou can also use the service to identify these users on your own server. This\nlets you securely perform server-side logic on behalf of users that have signed\nin with Firebase Authentication.\n\nTo do this, you can retrieve an ID token from a client\napplication signed in with Firebase Authentication and include the token in a request to your\nserver. Your server then verifies the ID token and extracts the claims that\nidentify the user (including their `uid`, the identity provider they logged in\nwith, etc.). This identity information can then be used by your server to carry\nout actions on behalf of the user.\n| Note: This documentation explains how to manage your own authentication tokens. If you are instead looking for documentation on how to authenticate the Admin SDK to access the Firebase Realtime Database, check out [Introduction to the Admin Database API](https://firebase.google.com/docs/database/admin/start/).\n\nThe Firebase Admin SDK provides methods for accomplishing the\nauthentication tasks above by enabling you to manage your users, generate custom\ntokens, and verify ID tokens.\n\n**Custom User Claims**\n\nIn some cases, you may want to implement fine-grained access control\nfor users already signed in with one of the supported Firebase\nauth providers such as Email/Password, Google, Facebook, phone, etc. A\ncombination of custom user claims and application security rules provides this\ncapability. For example, a user signed in with the Firebase Authentication Email and\nPassword provider can have access control defined using custom claims.\n\nUser management\n\nThe Firebase Admin SDK provides an API for managing your\nFirebase users with elevated privileges. The admin user management\nAPI gives you the ability to programmatically retrieve, create, update, and\ndelete users without requiring a user's existing credentials and without\nworrying about client-side rate limiting.\n[Manage users](./manage-users)\n\nCustom token creation\n\nThe primary use for creating custom tokens is to allow users to authenticate\nagainst an external or legacy authentication mechanism. This could be one you\ncontrol, such as your LDAP server, or a third-party OAuth provider which\nFirebase does not natively support, such as Instagram or LinkedIn.\n\nThe Firebase Admin SDK has a built-in method for creating\ncustom tokens. You can also programmatically create custom tokens in any\nlanguage using third-party JWT libraries.\n\nYour server should create a custom token with a unique identifier (`uid`) and\npass that token to a client app, which will use it to sign in to\nFirebase. See\n[Create custom tokens](https://firebase.google.com/docs/auth/admin/create-custom-tokens)\nfor code samples and more details about the custom token creation process.\n| Note: If you just need to connect to the Firebase Realtime Database from your own server, don't use custom tokens. Instead, use a Firebase Admin SDK to [authenticate with limited privileges](https://firebase.google.com/docs/database/admin/start#authenticate-with-limited-privileges).\n\n\u003cbr /\u003e\n\n[Create custom tokens](https://firebase.google.com/docs/auth/admin/create-custom-tokens)\n\nID token verification\n\nIf your Firebase client app communicates with your backend server,\nyou might need to identify the currently signed-in user on your server so you\ncan perform server-side logic on their behalf. You can do this securely by using\nID tokens, which are created by Firebase when a user signs into an\nFirebase app. ID tokens conform to the\n[OpenID Connect spec](http://openid.net/specs/openid-connect-core-1_0.html) and\ncontain data to identify a user, as well as some other profile and\nauthentication related information. You can send, verify,\nand inspect these tokens from your own backends. This allows you to securely\nidentify the currently signed in user and authorize them into your own backend\nresources.\n\nThe Firebase Admin SDK has a built-in method for verifying\nID tokens. You can also programmatically verify ID tokens in any\nlanguage using third-party JWT libraries. See\n[Verify ID tokens](https://firebase.google.com/docs/auth/admin/verify-id-tokens)\nfor more details and code samples about the ID token verification process.\n| Note: If you want your server to emulate user actions like accessing the Firebase Realtime Database as that user, you should first verify and decode an ID token for that user. Then, use the `databaseAuthVariableOverride` option to limit the privileges of your server, as described in [Authenticate with limited privileges](https://firebase.google.com/docs/database/admin/start#authenticate-with-limited-privileges).\n\n\u003cbr /\u003e\n\n[Verify ID tokens](https://firebase.google.com/docs/auth/admin/verify-id-tokens)\n\nCustom user claims\n\nThe Firebase Admin SDK lets you set custom attributes on user accounts.\nWith custom user claims, you can give users different levels of access (roles),\nwhich are then enforced in an application's security rules.\n\nAfter custom claims are modified on a user via the Firebase Admin SDK, they are\npropagated to the authenticated users on the client side via their ID tokens.\nThe ID token is a trusted mechanism for delivering\nthese custom claims, and all authenticated access must validate the ID token\nbefore processing the associated request.\n\n[Control Access with Custom Claims](https://firebase.google.com/docs/auth/admin/custom-claims)"]]
