When you call an API directly from a mobile or web app (for example, the APIs that allow access to generative AI models), the API is vulnerable to abuse by unauthorized clients. To help protect these APIs from abuse, you can use Firebase App Check to verify that all incoming API calls are from your actual app and an untampered device.
Firebase AI Logic provides a proxy gateway that lets you integrate with Firebase App Check and protect the generative AI model APIs called by your mobile and web apps. Using App Check with the Firebase AI Logic SDKs supports all our configurations:
Protects both "Gemini API" providers: Gemini Developer API and Vertex AI Gemini API.
Protects all supported models, both Gemini models and Imagen models.
App Check also supports replay protection, which means an App Check token can only be used once.
High-level summary of how App Check works
With App Check, devices running your app use an app or device attestation provider that verifies one or both of the following:
- Requests originate from your authentic app
- Requests originate from an authentic, untampered device
This attestation is attached to every request your app makes using a Firebase AI Logic SDK. When you enable App Check enforcement, requests from clients without a valid attestation will be rejected, as will any request originating from an app or platform you haven't authorized.
When setting up App Check, consider adding replay protection, which makes App Check tokens one-time-use only. This option offers enhanced protection beyond the baseline protection and lets you set an appropriate level of protection for your app and use cases.
You can find detailed information about App Check in its documentation, including its quotas and limits.
Set up App Check
The App Check documentation provides detailed descriptions of attestation providers as well as detailed implementation instructions.
Choose a default attestation provider, and follow the implementation instructions at the following links:
- Apple platforms: DeviceCheck or App Attest
- Android: Play Integrity
- Web: reCAPTCHA Enterprise
- Flutter: Supports
all the default providers above
If you're using older plugin versions, see the note about special instantiation below. for Flutter and App Check. - Unity: Supports all the default providers above
Note that if none of the default attestation providers are sufficient for your needs, then you can implement a custom provider that uses either a third-party attestation provider or your own attestation techniques.
(Required) Enable App Check enforcement before you commit your app to a publicly available source code control system, share your app, or make your app publicly available.
(Recommended) Enhance protection by adding replay protection, which means an App Check token can only be used once.
|
Click your Gemini API provider to view provider-specific content and code on this page. |
This special instantiation is only required if your app uses the Flutter plugin
firebase_ai v3.11.0 or lower (BoM v4.12.0 or lower). If your app uses a newer
version of the plugin, this special instantiation isn't needed.
If you enable App Check enforcement, then in Flutter apps that use older plugin versions, you need to explicitly pass in App Check during instantiation, like so:
// ...
// During instantiation, enable usage of limited-use tokens
final ai = await FirebaseAI.googleAI(
// For Flutter plugin v3.11.0 or lower (BoM v4.12.0 or lower), pass in App Check explicitly.
appCheck: FirebaseAppCheck.instance,
useLimitedUseAppCheckTokens: true,
);
// ...
Enhance protection by adding replay protection
|
We recommend using the latest SDK versions, but
make sure you're using at minimum one of these versions to use
replay protection: Apple platforms v12.2.0+ | Android BoM v34.14.0+ (App Check v19.1.0+) | Web v12.14.0+ | Flutter v4.15.0+ (App Check v4.10.0+) | Unity v13.12.0+ |
By default, App Check uses session tokens which have a configurable
time to live (TTL) between
However, you can enhance protection beyond this baseline protection by enforcing replay protection, which uses limited-use tokens instead. When replay protection is enforced, the following happens:
App Check will block requests to Firebase AI Logic that use session tokens. Instead, App Check will only allow a request to Firebase AI Logic if it uses a newly-minted limited-use token.
After the limited-use token is verified, the token is consumed so that it can be used only once, which prevents replay attacks.
The App Check SDK generates a new limited-use token for each request. Note that this process can impact your requests by adding some latency and sometimes cost (depending on your attestation provider).
Set up and enforce replay protection
|
Click your Gemini API provider to view provider-specific content and code on this page. |
Here's how to set up and enforce replay protection:
If you haven't already, implement App Check and enable App Check enforcement for your app.
Enable usage of limited-use tokens.
In your app during instantiation, set the
useLimitedUseAppCheckTokensparameter totrue:Swift
// ... // During instantiation, enable usage of limited-use tokens let ai = FirebaseAI.firebaseAI( backend: .googleAI(), useLimitedUseAppCheckTokens: true ) // ...Kotlin
// ... // During instantiation, enable usage of limited-use tokens val ai = Firebase.ai( backend = GenerativeBackend.googleAI(), useLimitedUseAppCheckTokens = true ) // ...Java
// ... // During instantiation, enable usage of limited-use tokens FirebaseAI ai = FirebaseAI.getInstance( /* backend: */ GenerativeBackend.googleAI(), /* useLimitedUseAppCheckTokens: */ true ); // ...Web
// ... // During instantiation, enable usage of limited-use tokens const ai = getAI(firebaseApp, { backend: new GoogleAIBackend(), useLimitedUseAppCheckTokens: true }); // ...Dart
// ... // During instantiation, enable usage of limited-use tokens final ai = await FirebaseAI.googleAI( useLimitedUseAppCheckTokens: true, ); // ...Unity
// ... // During instantiation, enable usage of limited-use tokens var ai = FirebaseAI.GetInstance( useLimitedUseAppCheckTokens: true ); // ...Enforce replay protection.
In your app's codebase, make sure that you've enabled usage of limited-use tokens (see previous step).
In the Firebase console, go to Security > App Check.
Expand the metrics view for Firebase AI Logic.
Make sure Baseline protection is Enforced, then click Continue.
For replay protection, choose either Unenforced (monitoring only) or Enforced.
Consider the following to decide when to enforce replay protection:
Monitoring your requests is recommended if a substantial number of your users are likely using earlier versions of your app without usage of limited-use tokens enabled. If you enforce replay protection immediately, requests from those users will be blocked.
You can specifically monitor the Unverified: Reused token metric, which is the number of requests that have a token which has already been used in a previous request. Monitor this metric in the Firebase console (go to the Security > App Check > APIs tab).
If a significant portion of recent requests are in this category, you can avoid disrupting users and consider waiting to enforce replay protection until more users have updated to a version of your app that uses limited-use tokens.
Understand how Firebase AI Logic integrates with App Check
To use the Firebase AI Logic SDKs, the
Firebase AI Logic API (firebasevertexai.googleapis.com)
must be enabled in your Firebase project. This is because requests made by the
Firebase AI Logic SDKs are first sent to the Firebase AI Logic
server, which acts as a proxy gateway where Firebase App Check verification
takes place before the request is allowed to proceed to your chosen
"Gemini API" provider's backend and the APIs to access the Gemini
and Imagen models.