Method: projects.apps.exchangeCustomToken

Validates a custom token signed using your project's Admin SDK service account credentials. If valid, returns an AppCheckToken .

HTTP request

POST https://firebaseappcheck.googleapis.com/v1beta/{app=projects/*/apps/*}:exchangeCustomToken

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
app

string

Required. The relative resource name of the app, in the format:

projects/{project_number}/apps/{app_id}

If necessary, the project_number element can be replaced with the project ID of the Firebase project. Learn more about using project identifiers in Google's AIP 2510 standard.

Request body

The request body contains data with the following structure:

JSON representation
{
  "customToken": string,
  "limitedUse": boolean,
  "jti": string
}
Fields
customToken

string

Required. A custom token signed using your project's Admin SDK service account credentials.

limitedUse

boolean

Specifies whether this attestation is for use in a limited use ( true ) or session based ( false ) context. To enable this attestation to be used with the replay protection feature, set this to true . The default value is false .

jti

string

Optional. When limitedUse is set to true , this field specifies the desired jti claim (Section 4.1.7 of RFC 7519) in the returned App Check token. Limited use App Check tokens with the same jti will be counted as the same token for the purposes of replay protection.

An error is returned if this field is specified without setting limitedUse to true .

The size of this field is limited to 500 bytes. If specified, its length must be at least 16 bytes.

If this field is omitted or is empty and limitedUse is set to true , a randomly generated jti claim with length between 16 and 500 bytes (inclusive) will be used in the returned App Check token. Leaving this field empty is only recommended if your custom attestation provider itself is not vulnerable to replay attacks.

When limitedUse is set to false , the presence and the contents of the jti claim in the returned App Check token are unspecified. To ensure that the returned App Check token is eligible for limited-use functionality, set limitedUse to true .

Response body

If successful, the response body contains an instance of AppCheckToken .