Protect custom backend resources with App Check on Apple platforms

You can useApp Check to protect non-Google custom backend resources foryour app, like your own self-hosted backend. To do so, you'll need to do both ofthe following:

  • Modify your app client to send anApp Check token along with each requestto your backend, as described on this page.
  • Modify your backend to require a validApp Check token with every request,as described inVerifyApp Check tokens from a custom backend.

Before you begin

AddApp Check to your app, using eitherApp Attest,DeviceCheck, or acustom provider.

SendApp Check tokens with backend requests

To ensure your backend requests include a valid, unexpired,App Check token,wrap each request in a call toAppCheck.token(). TheApp Check librarywill refresh the token if necessary, and you can access the token in themethod's completion block.

Once you have a valid token, send it along with the request to your backend. Thespecifics of how you accomplish this are up to you, butdon't sendApp Check tokens as part of URLs, including in query parameters, as thismakes them vulnerable to accidental leakage and interception. The followingexample sends the token in a custom HTTP header, which is the recommendedapproach.

Swift

do{lettoken=tryawaitAppCheck.appCheck().token(forcingRefresh:false)// Get the raw App Check token string.lettokenString=token.token// Include the App Check token with requests to your server.leturl=URL(string:"https://yourbackend.example.com/yourApiEndpoint")!varrequest=URLRequest(url:url)request.httpMethod="GET"request.setValue(tokenString,forHTTPHeaderField:"X-Firebase-AppCheck")lettask=URLSession.shared.dataTask(with:request){data,response,errorin// Handle response from your backend.}task.resume()}catch(leterror){print("Unable to retrieve App Check token:\(error)")return}

Objective-C

[[FIRAppCheckappCheck]tokenForcingRefresh:NOcompletion:^(FIRAppCheckToken*_Nullabletoken,NSError*_Nullableerror){if(error!=nil){// Handle any errors if the token was not retrieved.NSLog(@"Unable to retrieve App Check token: %@",error);return;}if(token==nil){NSLog(@"Unable to retrieve App Check token.");return;}// Get the raw App Check token string.NSString*tokenString=token.token;// Include the App Check token with requests to your server.NSURL*url=[[NSURLalloc]initWithString:@"https://yourbackend.example.com/yourApiEndpoint"];NSMutableURLRequest*request=[[NSMutableURLRequestalloc]initWithURL:url];[requestsetHTTPMethod:@"GET"];[requestsetValue:tokenStringforHTTPHeaderField:@"X-Firebase-AppCheck"];NSURLSessionDataTask*task=[[NSURLSessionsharedSession]dataTaskWithRequest:requestcompletionHandler:^(NSData*_Nullabledata,NSURLResponse*_Nullableresponse,NSError*_Nullableerror){// Handle response from your backend.}];[taskresume];}];

Replay protection (beta)

When making a request to an endpoint for which you've enabledreplay protection,wrap the request in a call tolimitedUseToken() instead oftoken():

Swift

AppCheck.appCheck().limitedUseToken(){token,errorin// ...}

Objective-C

[[FIRAppCheckappCheck]limitedUseTokenWithCompletion:^(FIRAppCheckToken*_Nullabletoken,NSError*_Nullableerror){// ...}];

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-06 UTC.