While the easiest way to use Cloud Firestore is to use one of the native client libraries, there are some situations when it is useful to call the REST API directly.
The REST API can be helpful for the following use cases:
- Accessing Cloud Firestore from a resource-constrained environment, such as an internet of things (IoT) device, where running a complete client library is not possible.
- Automating database administration or retrieving detailed database metadata.
If you are using a gRPC-supported language, consider using the RPC API rather than the REST API.
Authentication and authorization
For authentication, the Cloud Firestore REST API accepts either a Firebase Authentication ID token or a Google Identity OAuth 2.0 token. The token you provide affects your request's authorization:
Use Firebase ID tokens to authenticate requests from your application's users. For these requests, Cloud Firestore uses Cloud Firestore Security Rules to determine if a request is authorized.
Use a Google Identity OAuth 2.0 token and a service account to authenticate requests from your application, such as requests for database administration. For these requests, Cloud Firestore uses Identity and Access Management (IAM) to determine if a request is authorized.
Working with Firebase ID tokens
You can attain a Firebase ID token in two ways:
- Generate a Firebase ID token using the Firebase Authentication REST API.
- Retrieve a user's Firebase ID token from a Firebase Authentication SDK.
By retrieving a user's Firebase ID token, you can make requests on behalf of the user.
For requests authenticated with a Firebase ID token and for unauthenticated requests, Cloud Firestore uses your Cloud Firestore Security Rules to determine if a request is authorized.
Working with Google Identity OAuth 2.0 tokens
You can generate an access token by using a
service account with a
Google API Client Library
or by following the steps in
Using OAuth 2.0 for Server to Server Applications. You
can also generate a token with the
gcloud command-line tool and the
gcloud auth application-default print-access-token.
This token must have the following scope to send requests to the Cloud Firestore REST API:
If you authenticate your requests with a service account and a Google Identity OAuth 2.0 token, Cloud Firestore assumes that your requests act on behalf of your application instead of an individual user. Cloud Firestore allows these requests to ignore your security rules. Instead, Cloud Firestore uses IAM to determine if a request is authorized.
You can control the access permissions of service accounts by assigning Cloud Firestore IAM roles.
Authenticating with an access token
After you obtain either a Firebase ID token or a Google Identity OAuth 2.0
token, pass it to the Cloud Firestore endpoints as an
header set to
Making REST calls
All REST API endpoints exist under the base URL
To create a path to a document with the ID
LA in the collection
under the project
YOUR_PROJECT_ID you would use the following structure.
To interact with this path, combine it with the base API URL.
The best way to begin experimenting with the REST API is to use the API Explorer, which automatically generates Google Identity OAuth 2.0 tokens and allows you to examine the API.
Below are brief descriptions of the two most important method groups. For a complete list, see the REST API reference or use the API Explorer.
Perform CRUD operations on documents, similar to those outlined in the add data or get data guides.
Perform actions on indexes such as creating new indexes, disabling an existing index, or listing all current indexes. Useful for automating data structure migrations or synchronizing indexes between projects.
Also enables retrieval of document metadata, such as the list of all fields and subcollections for a given document.
When a Cloud Firestore request succeeds, the
Cloud Firestore API returns an HTTP
200 OK status code and the
requested data. When a request fails, the Cloud Firestore API returns an
5xx status code and a response with information about
The following table lists recommended actions for each error code. These codes apply to the Cloud Firestore REST and RPC APIs. The Cloud Firestore SDKs and client libraries may not return these same error codes.
|Canonical Error Code||Description||Recommended Action|
||The request conflicted with another request.||For a non-transactional commit:
Retry the request or re-structure your data model to reduce contention.
For requests in a transaction:
Retry the entire transaction or re-structure your data model to reduce contention.
||The request tried to create a document that already exists.||Do not retry without fixing the problem.|
||The Cloud Firestore server handling the request exceeded a deadline.||Retry using exponential backoff.|
||The request did not meet one of its preconditions. For example, a query request might require an index not yet defined. See the message field in the error response for the precondition that failed.||Do not retry without fixing the problem.|
||The Cloud Firestore server returned an error.||Do not retry this request more than once.|
||A request parameter includes an invalid value. See the message field in the error response for the invalid value.||Do not retry without fixing the problem.|
||The request attempted to update a document that does not exist.||Do not retry without fixing the problem.|
||The user is not authorized to make this request.||Do not retry without fixing the problem.|
||The project exceeded either its quota or the region/multi-region capacity.||Verify that you did not exceed your project quota. If you exceeded a project quota, do not retry without fixing the problem.
Otherwise, retry with exponential backoff.
||The request did not include valid authentication credentials.||Do not retry without fixing the problem.|
||The Cloud Firestore server returned an error.||Retry using exponential backoff.|