Firebase App Check
App Check helps protect your app backends from abuse by preventingunauthorized clients from accessing your backend resources. It works withboth Google services (including Firebase andGoogle Cloud services) and yourown custom backends to keep your resources safe.
WithApp Check, devices running your app will use an app or deviceattestation provider that attests to one or both of the following:
- Requests originate from your authentic app
- Requests originate from an authentic, untampered device
This attestation is attached to every request your app makes to the APIs youspecify. When you enableApp Check enforcement, requests fromclients without a valid attestation will be rejected, as will any requestoriginating from an app or platform you haven't authorized.
App Check has built-in support for using the following services asattestation providers:
- DeviceCheck orApp Attest on Apple platforms
- Play Integrity on Android
- reCAPTCHA Enterprise on web apps.
If these are insufficient for your needs, you can also implement your ownservice that uses either a third-party attestation provider or your ownattestation techniques.
App Check works with the following Google services:
| Supported Firebase and Google Cloud services |
|---|
| Firebase Authentication (Preview) |
| Firebase Data Connect |
| Cloud Firestore |
| Firebase Realtime Database |
| Cloud Storage for Firebase |
| Cloud Functions for Firebase (callable functions only) |
| Firebase AI Logic |
| SupportedGoogle Maps Platform services |
| Maps JavaScript API (Preview) |
| Places API (New) (Preview) |
| Other supported Google services |
| Google Identity for iOS |
You can also useApp Check to protect your non-Google custom backendresources, like your own self-hosted backend.
How does it work?
When you enableApp Check for a service and include the client SDKin your app, the following happens periodically:
- Your app interacts with the provider of your choice to obtain an attestationof the app or device's authenticity (or both, depending on the provider).
- The attestation is sent to theApp Check server, which verifies thevalidity of the attestation using parameters registered with the app, andreturns to your app anApp Check token with an expiration time. Thistoken might retain some information about the attestation material itverified.
- TheApp Check client SDK caches the token in your app, ready to be sentalong with any requests your app makes to protected services.
A service protected byApp Check only accepts requests accompaniedby a current, validApp Check token.
How strong is the security provided byApp Check?
App Check relies on the strength of its attestation providers to determineapp or device authenticity. It prevents some, but not all, abuse vectorsdirected towards your backends. UsingApp Check does not guaranteethe elimination of all abuse, but by integrating withApp Check, you aretaking an important step towards abuse protection for your backend resources.
How isApp Check related toFirebase Authentication?
App Check andFirebase Authentication are complementary parts of your app securitystory.Firebase Authentication provides user authentication, which protects yourusers, whereasApp Check provides attestation of app or device authenticity,which protects you, the developer.App Check guards access to your Googlebackend resources and custom backends by requiring API calls to contain a validApp Check token. These two concepts work together to help secure your app.
Quotas & limits
Your use ofApp Check is subject to the quotas and limits of the attestationproviders you use.
DeviceCheck and App Attest access is subject to any quotas or limitations setby Apple.
Play Integrity has a daily quota of 10,000 calls for its Standard API usagetier. For information on raising your usage tier, see thePlay Integrity documentation.
reCAPTCHA Enterprise is no-cost for 10,000 assessments each month, and has acost beyond that. SeereCAPTCHA pricing.
In addition, theApp Check service hasquotason the volume of requests it will handle from a single project; however, thesequotas are not typically depleted through normal usage. If your traffic volumeis anticipated to exceed these quotas,contact Firebase supportto request an increase.
Get started
Ready to get started?
Apple platforms
Android
Web
Flutter
Unity
C++
Learn how to implement a customApp Check provider
Learn how to useApp Check to protect your custom backend resources
Select your platform:
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-01-21 UTC.