Firebase Tutorial
- Home
- Introduction
- Project Setup
- Authentication (Email/Pass)
- Social Authentication
- Cloud Firestore (Basics)
- Firestore Queries
- Real-time Updates
- Firestore Security Rules
- Cloud Storage
- Storage Security Rules
- Cloud Functions (Intro)
- Triggering Functions
- Firebase Hosting
- Firebase Analytics
- Crashlytics & Performance
- Remote Config
- App Check
- Offline Persistence
- Firebase with Next.js
- Best Practices
App Check
Firebase App Check helps protect your API resources from abuse by preventing unauthorized clients from accessing your backend services.
1. Why App Check?
- Billing Protection: Prevents bots from making expensive calls to your database or storage.
- Data Integrity: Ensures only your app can write data to your services.
- Reduced Spam: Blocks unauthorized scripts and scrapers.
2. How it Works
App Check works by requiring an "App Check token" with every request. This token is issued by an attestation provider (like reCAPTCHA Enterprise on the web or DeviceCheck/App Attest on Apple).
3. Implementation (Web)
import { initializeAppCheck, ReCaptchaEnterpriseProvider } from "firebase/app-check";
const appCheck = initializeAppCheck(app, {
provider: new ReCaptchaEnterpriseProvider('YOUR_SITE_KEY'),
isTokenAutoRefreshEnabled: true
});4. Enforcing App Check
Simply initializing the SDK isn't enough. You must Enforce App Check in the Firebase Console for each service (Firestore, Storage, Functions).
Warning: Be careful when turning on enforcement! Users on older versions of your app without App Check will be blocked. Use a phased rollout.
