If, after you have registered your app forApp Check, you want to run yourapp in an environment thatApp Check would normally not classify as valid,such as locally during development, or from a continuous integration (CI)environment, you can create a debug build of your app that uses theApp Check debug provider instead of a real attestation provider.

1. In your debug build, enable debug mode by settingself.FIREBASE_APPCHECK_DEBUG_TOKEN totrue before you initializeApp Check. For example:

   Web

   self.FIREBASE_APPCHECK_DEBUG_TOKEN=true;initializeAppCheck(app,{/* App Check options */});

   Web

   self.FIREBASE_APPCHECK_DEBUG_TOKEN=true;firebase.appCheck().activate(/* site key or provider */);

   Note: In Firebase Web SDK versions before v9,self.FIREBASE_APPCHECK_DEBUG_TOKEN is read at import time, and not atinitialization/activation time. This required it to be set inindex.htmlbefore the code bundle is loaded. To avoid this restriction, upgrade to v9.

2. Visit your web app locally and open the browser’s developer tool. In thedebug console, you’ll see a debug token:

   AppCheck debug token: "123a4567-b89c-12d3-e456-789012345678". You willneed to safelist it in the Firebase console for it to work.

3. In theApp Check sectionof theFirebase console, chooseManage debug tokens from your app'soverflow menu. Then, register the debug token you logged in the previousstep.

   

After you register the token, Firebase backend services will accept it as valid.

Because this token allows access to your Firebase resources without avalid device, it is crucial that you keep it private. Don't commit it to apublic repository, and if a registered token is ever compromised, revoke itimmediately in theFirebase console.

This token is stored locally in your browser and will be used whenever you useyour app in the same browser on the same machine. If you want to use thetoken in another browser or on another machine, setself.FIREBASE_APPCHECK_DEBUG_TOKEN to the token string instead oftrue.

Use the debug provider in a CI environment

To use the debug provider in a continuous integration (CI) environment, do the following:

1. In theApp Check sectionof theFirebase console, chooseManage debug tokens from your app'soverflow menu. Then, create a new debug token. You'll need the token in thenext step.

   Because this token allows access to your Firebase resources withouta valid device, it is crucial that you keep it private. Don't commit it to apublic repository, and if a registered token is ever compromised, revoke itimmediately in theFirebase console.

   

2. Add the debug token you just created to your CI system's secure key store(for example, GitHub Actions'encrypted secrets or Travis CI'sencrypted variables).

3. If necessary, configure your CI system to make your debug token availablewithin the CI environment as an environment variable. Name the variablesomething likeAPP_CHECK_DEBUG_TOKEN_FROM_CI.

4. In your debug build, enable debug mode by settingself.FIREBASE_APPCHECK_DEBUG_TOKEN to the value of the debug tokenenvironment variable before you importApp Check. For example:

   Web

   self.FIREBASE_APPCHECK_DEBUG_TOKEN=process.env.APP_CHECK_DEBUG_TOKEN_FROM_CI;initializeAppCheck(app,{/* App Check options */});

   Web

   self.FIREBASE_APPCHECK_DEBUG_TOKEN=process.env.APP_CHECK_DEBUG_TOKEN_FROM_CI;firebase.appCheck().activate(/* site key or provider */);

When your app runs in a CI environment, Firebase backend services will acceptthe token it sends as valid.