I/O is live! Tune in for livestreamed keynotes and sessions May 20-21 starting at 10 AM PT. Watch now.

Implement Firebase App Check to protect APIs from unauthorized clients
Stay organized with collections Save and categorize content based on your preferences.

When you call an API directly from a mobile or web app (for example, the APIs that allow access to generative AI models), the API is vulnerable to abuse by unauthorized clients. To help protect these APIs, you can use Firebase App Check to verify that all incoming API calls are from your actual app.

Firebase AI Logic provides a proxy gateway that lets you integrate with Firebase App Check and protect the generative AI model APIs called by your mobile and web apps. Integrating with App Check is supported for both the Gemini Developer API and the Vertex AI Gemini API when you use the Firebase AI Logic SDKs. You can protect both Gemini and Imagen models.

High-level summary of how App Check works

With App Check, devices running your app use an app or device attestation provider that verifies one or both of the following:

Requests originate from your authentic app
Requests originate from an authentic, untampered device

This attestation is attached to every request your app makes using a Firebase AI Logic SDK. When you enable App Check enforcement, requests from clients without a valid attestation will be rejected, as will any request originating from an app or platform you haven't authorized.

Find detailed information in the Firebase App Check documentation.

Available providers and implementation instructions

App Check has built-in support for using the following services as attestation providers. Click a provider's link to view the App Check documentation for that provider, including descriptions and implementation instructions.

Apple platforms: DeviceCheck or App Attest
Android: Play Integrity
Web: reCAPTCHA Enterprise

If these providers are insufficient for your needs, you can also implement your own service that uses either a third-party attestation provider or your own attestation techniques (for more details, see the App Check documentation).

Special instantiation required for Flutter

Click your Gemini API provider to view provider-specific content and code on this page.

When using App Check with Firebase AI Logic in Flutter apps, you need to explicitly pass in App Check during instantiation, like so:

final ai = await FirebaseAI.googleAI(appCheck: FirebaseAppCheck.instance)
  .generativeModel(model: 'MODEL_NAME');

Additional information about App Check

Learn about quotas and limits for App Check.
Make sure that you enable enforcement of App Check before you release your app to real users.

Understand how Firebase AI Logic integrates with App Check

To use the Firebase AI Logic SDKs, the Firebase AI Logic API (firebasevertexai.googleapis.com) must be enabled in your Firebase project. This is because requests made by the Firebase AI Logic SDKs are first sent to the Firebase AI Logic server, which acts as a proxy gateway where Firebase App Check verification takes place before the request is allowed to proceed to your chosen "Gemini API" provider's backend and the APIs to access the Gemini and Imagen models.