For mobile and web apps, you need to protect the Gemini API and
your project resources (like tuned models) from abuse by unauthorized clients.
You can use
Firebase App Check
to verify that all API
calls are from your actual app.
Gemini API abuse protection using App Check is only available if you
use the Vertex AI for Firebase SDKs.
With App Check, devices running your app use an app or device attestation
provider that verifies one or both of the following:
- Requests originate from your authentic app
- Requests originate from an authentic, untampered device
This attestation is attached to every request your app makes using the
Vertex AI Gemini API. When you enable App Check enforcement,
requests from clients without a valid attestation will be rejected, as will any
request originating from an app or platform you haven't authorized.
Available providers
App Check has built-in support for using the following services as
attestation providers. Click a provider's link to view the App Check
documentation for that provider, including descriptions and implementation
instructions.
If these providers are insufficient for your needs, you can also implement your
own service that uses either a third-party attestation provider or your own
attestation techniques
(for more details, see the
App Check documentation
).
Additional information about App Check
Understand how App Check protects the Gemini API
To use the Vertex AI for Firebase SDKs, the
firebaseml.googleapis.com
API
must be enabled in your Firebase project. This is because requests made by the
Vertex AI for Firebase SDKs are first sent to the Firebase ML server, which
acts as a proxy gateway where Firebase App Check verification takes place
before
the request is allowed to proceed to the Vertex AI backend.
Note that the Vertex AI Gemini API (
aiplatform.googleapis.com
) itself
doesn't perform any App Check verification. Instead, the
Vertex AI for Firebase SDKs automatically route requests from your app
through the Firebase ML gateway.
