Quickly validate Firebase Security Rules

To quickly test your updated Firebase Security Rules in the Firebase console, use the Rules Playground.

The Rules Playground is a convenient tool to use as you're exploring new behaviors or quickly validating rules as you write them. It displays a message confirming that access was either allowed or denied according to the parameters you set for the simulation.

Use the Rules Playground

  1. Open the Firebase console and select your project.
  2. Then, from the product navigation, do one of the following:
    • Select Realtime Database, Cloud Firestore, or Storage, as appropriate, then click Rules to navigate to the Rules editor.
  3. Once you've made your edits, click Rules Playground from the editor.
  4. In the Rules Playground settings, select options for your test, including:
    • Testing reads or writes.
    • A specific Location in your database or storage bucket, as a path.
    • Authentication type — unauthenticated, authenticated anonymous user, or a specific user ID.
    • Document-specific data that your rules specifically reference (for example, if your rules require the presence of a specific field before allowing a write).
  5. Click Run and look for the results in the banner above the editor.

Sample Rules Playground scenario

Test the Rules Playground behavior with the following sample scenario and basic rules.

Cloud Firestore

service cloud.firestore {
  match /databases/{database}/documents {
    // Allow only authenticated content owners access
    match /some_collection/{document} {
      allow read, write: if request.auth != null && request.auth.uid == request.resource.data.author_uid

Realtime Database

 // These rules grant access to a node matching the authenticated
 // user's ID from the Firebase auth token
   "rules": {
     "users": {
       "$uid": {
         ".read": "$uid === auth.uid",
         ".write": "$uid === auth.uid"

Cloud Storage

// Grants a user access to a node matching their user ID
service firebase.storage {
  match /b/{bucket}/o {
    // Files look like: "user/<UID>/path/to/file.txt"
    match /user/{userId}/{allPaths=**} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
  • In the Rules editor, add the rule given above.

  • Select get from the Simulation type dropdown menu and enter a valid path in the Location field.

  • Toggle on Authentication and select an authentication type from the Provider drodpdown.

  • Enter the user ID details and click Run.

The results of the simulation appear at the top of the editor. Depending on the user ID details you entered, you should see a banner confirming the read was either successfully allowed or denied.