Enable App Check enforcement for Cloud Functions

When youunderstand howApp Check will affect your usersand you're ready to proceed, you can enableApp Check enforcement forcallable functions.

Enable enforcement

To begin enforcingApp Check token requirements in your callablefunctions, modify your functions to check for validApp Checktokens, as shown below. Once you enable enforcement, all unverified requestswill be rejected.

  1. Install theCloud Functions SDK.

    Node.js (2nd gen)

    Update your project'sfirebase-functions dependency to version 4.0.0 ornewer:

    npminstallfirebase-functions@">=4.0.0"

    Node.js (1st gen)

    Update your project'sfirebase-functions dependency to version 4.0.0 ornewer:

    npminstallfirebase-functions@">=4.0.0"

    Python (preview)

    Addfirebase-functions tofunctions/requirements.txt:

    firebase-functions >= 0.1.0

    Then, update the dependencies in your project's virtual environment:

    ./venv/bin/pip install -r requirements.txt

  2. Enable the App Check enforcement runtime option for your function:

    Node.js (2nd gen)

    const{onCall}=require("firebase-functions/v2/https");exports.yourV2CallableFunction=onCall({enforceAppCheck:true,// Reject requests with missing or invalid App Check tokens.},(request)=>{// request.app contains data from App Check, including the app ID.// Your function logic follows....});

    Node.js (1st gen)

    constfunctions=require("firebase-functions/v1");exports.yourV1CallableFunction=functions.runWith({enforceAppCheck:true,// Reject requests with missing or invalid App Check tokens.}).https.onCall((data,context)=>{// context.app contains data from App Check, including the app ID.// Your function logic follows....});

    Python (preview)

    fromfirebase_functionsimporthttps_fn@https_fn.on_call(enforce_app_check=True# Reject requests with missing or invalid App Check tokens.)defyour_callable_function(req:https_fn.CallableRequest)->https_fn.Response:# req.app contains data from App Check, including the app ID.# Your function logic follows....

  3. Redeploy your functions:

    firebase deploy --only functions

Once these changes are deployed, your callable functions will requirevalidApp Check tokens. TheCloud Functions client SDKs automaticallyattach anApp Check token when you invoke a callable function.

Replay protection (beta)

To protect a callable function from replay attacks, you can consume the AppCheck token after verifying it. Once the token is consumed, it cannot be usedagain.

Note: The replay protection beta supports only the Cloud Functions SDK forNode.js.

Note that using replay protection adds a network round trip to tokenverification, and therefore adds latency to the function call. For thisreason, most apps typically enable replay protection only on particularlysensitive endpoints.

To consume tokens:

  1. In theGoogle Cloud console,grant the "Firebase App Check Token Verifier" role to the service accountused by the function.

    • If you're explicitly initializing the Admin SDK and you specified yourproject's Admin SDK service account credentials, the required role isalready granted.
    • If you're using 1st generation Cloud Functions with the default AdminSDK configuration, grant the role to theApp Engine default serviceaccount. SeeChanging service account permissions.
    • If you're using 2nd generation Cloud Functions with the default AdminSDK configuration, grant the role to theDefault compute serviceaccount.

  2. SetconsumeAppCheckToken totrue in your function definition:

    Node.js (2nd gen)

    const{onCall}=require("firebase-functions/v2/https");exports.yourV2CallableFunction=onCall({enforceAppCheck:true,// Reject requests with missing or invalid App Check tokens.consumeAppCheckToken:true// Consume the token after verification.},(request)=>{// request.app contains data from App Check, including the app ID.// Your function logic follows....});

    Node.js (1st gen)

    constfunctions=require("firebase-functions/v1");exports.yourV1CallableFunction=functions.runWith({enforceAppCheck:true,// Reject requests with missing or invalid App Check tokens.consumeAppCheckToken:true// Consume the token after verification.}).https.onCall((data,context)=>{// context.app contains data from App Check, including the app ID.// Your function logic follows....});

  3. Update your app client code to acquire consumable limited-use tokens whenyou call the function:

    Swift

    letoptions=HTTPSCallableOptions(requireLimitedUseAppCheckTokens:true)letyourCallableFunction=Functions.functions().httpsCallable("yourCallableFunction",options:options)do{letresult=tryawaityourCallableFunction.call()}catch{// ...}

    Kotlin

    valyourCallableFunction=Firebase.functions.getHttpsCallable("yourCallableFunction"){limitedUseAppCheckTokens=true}valresult=yourCallableFunction.call().await()

    Java

    HttpsCallableReferenceyourCallableFunction=FirebaseFunctions.getInstance().getHttpsCallable("yourCallableFunction",newHttpsCallableOptions.Builder().setLimitedUseAppCheckTokens(true).build());Task<HttpsCallableResult>result=yourCallableFunction.call();

    Web

    import{getFunctions,httpsCallable}from"firebase/functions";constyourCallableFunction=httpsCallable(getFunctions(),"yourCallableFunction",{limitedUseAppCheckTokens:true},);awaityourCallableFunction();

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.