Firebase App Check
plat_ios
plat_android
plat_web
plat_flutter
App Check helps protect your API resources from abuse by preventing
unauthorized clients from accessing your backend resources. It works with
both Firebase services, Google Cloud services, and your
own APIs to keep your resources safe.
With App Check, devices running your app will use an app or device
attestation provider that attests to one or both of the following:
- Requests originate from your authentic app
- Requests originate from an authentic, untampered device
This attestation is attached to every request your app makes to the APIs you
specify. When you enable App Check enforcement, requests from
clients without a valid attestation will be rejected, as will any request
originating from an app or platform you haven't authorized.
App Check has built-in support for using the following services as
attestation providers:
If these are insufficient for your needs, you can also implement your own
service that uses either a third-party attestation provider or your own
attestation techniques.
App Check currently works with the following Firebase products:
You can also use App Check to protect your non-Firebase backend resources.
Ready to get started?
Get started
How does it work?
When you enable App Check for a service and include the client SDK
in your app, the following happens periodically:
- Your app interacts with the provider of your choice to obtain an attestation
of the app or device's authenticity (or both, depending on the provider).
- The attestation is sent to the App Check server, which verifies the
validity of the attestation using parameters registered with the app, and
returns to your app an App Check token with an expiration time. This
token might retain some information about the attestation material it
verified.
- The App Check client SDK caches the token in your app, ready to be sent
along with any requests your app makes to protected services.
A service protected by App Check only accepts requests accompanied
by a current, valid App Check token.
How strong is the security provided by App Check?
App Check relies on the strength of its attestation providers to determine
app or device authenticity. It prevents some, but not all, abuse vectors
directed towards your backends. Using App Check does not guarantee
the elimination of all abuse, but by integrating with App Check, you are
taking an important step towards abuse protection for your backend resources.
App Check and Firebase Authentication are complementary parts of your app security
story. Firebase Authentication provides user authentication, which protects your
users, whereas App Check provides attestation of app or device authenticity,
which protects you, the developer. App Check guards access to your Firebase
resources and custom backends by requiring API calls to contain a valid Firebase
App Check token. These two concepts work together to help secure your app.
Quotas & limits
Your use of App Check is subject to the quotas and limits of the attestation
providers you use.
DeviceCheck and App Attest access is subject to any quotas or limitations set
by Apple.
Play Integrity has a daily quota of 10,000 calls for its Standard API usage
tier. For information on raising your usage tier, see the
Play Integrity documentation
.
SafetyNet has a daily quota of 10,000 calls. For information on requesting a
quota increase, see the
SafetyNet documentation
.
reCAPTCHA Enterprise is no-cost for 1 million calls per month, and at
cost beyond that. See
reCAPTCHA Enterprise pricing
.
Get started
Ready to get started?
DeviceCheck
App Attest
Android
Play Integrity
Web
reCAPTCHA Enterprise
Flutter
Default providers
C++
Default providers
Unity
Default providers
Learn how to implement a custom App Check provider:
Custom providers
Learn how to use App Check to protect your non-Firebase backend resources:
iOS+
Android
Web
Flutter