Stay organized with collections
Save and categorize content based on your preferences.
Firebase App Check
plat_iosplat_androidplat_webplat_flutter
App Check helps protect your app backends from abuse by preventing
unauthorized clients from accessing your backend resources. It works with
both Google services (including Firebase and Google Cloud services) and your
own custom backends to keep your resources safe.
With App Check, devices running your app will use an app or device
attestation provider that attests to one or both of the following:
Requests originate from your authentic app
Requests originate from an authentic, untampered device
This attestation is attached to every request your app makes to the APIs you
specify. When you enable App Check enforcement, requests from
clients without a valid attestation will be rejected, as will any request
originating from an app or platform you haven't authorized.
App Check has built-in support for using the following services as
attestation providers:
If these are insufficient for your needs, you can also implement your own
service that uses either a third-party attestation provider or your own
attestation techniques.
App Check works with the following Google services:
Supported Firebase and Google Cloud services
Firebase Authentication (Preview)
Firebase Data Connect
Cloud Firestore
Firebase Realtime Database
Cloud Storage for Firebase
Cloud Functions for Firebase (callable functions only)
When you enable App Check for a service and include the client SDK
in your app, the following happens periodically:
Your app interacts with the provider of your choice to obtain an attestation
of the app or device's authenticity (or both, depending on the provider).
The attestation is sent to the App Check server, which verifies the
validity of the attestation using parameters registered with the app, and
returns to your app an App Check token with an expiration time. This
token might retain some information about the attestation material it
verified.
The App Check client SDK caches the token in your app, ready to be sent
along with any requests your app makes to protected services.
A service protected by App Check only accepts requests accompanied
by a current, valid App Check token.
How strong is the security provided by App Check?
App Check relies on the strength of its attestation providers to determine
app or device authenticity. It prevents some, but not all, abuse vectors
directed towards your backends. Using App Check does not guarantee
the elimination of all abuse, but by integrating with App Check, you are
taking an important step towards abuse protection for your backend resources.
How is App Check related to Firebase Authentication?
App Check and Firebase Authentication are complementary parts of your app security
story. Firebase Authentication provides user authentication, which protects your
users, whereas App Check provides attestation of app or device authenticity,
which protects you, the developer. App Check guards access to your Google
backend resources and custom backends by requiring API calls to contain a valid
App Check token. These two concepts work together to help secure your app.
Quotas & limits
Your use of App Check is subject to the quotas and limits of the attestation
providers you use.
DeviceCheck and App Attest access is subject to any quotas or limitations set
by Apple.
Play Integrity has a daily quota of 10,000 calls for its Standard API usage
tier. For information on raising your usage tier, see the
Play Integrity documentation.
reCAPTCHA Enterprise is no-cost for 10,000 assessments each month, and has a
cost beyond that. See reCAPTCHA pricing.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-22 UTC."],[],[],null,["Firebase App Check \nplat_ios plat_android plat_web plat_flutter \n\nApp Check helps protect your app backends from abuse by preventing\nunauthorized clients from accessing your backend resources. It works with\nboth Google services (including Firebase and Google Cloud services) and your\nown custom backends to keep your resources safe.\n\nWith App Check, devices running your app will use an app or device\nattestation provider that attests to one or both of the following:\n\n- Requests originate from your authentic app\n- Requests originate from an authentic, untampered device\n\nThis attestation is attached to every request your app makes to the APIs you\nspecify. When you enable App Check enforcement, requests from\nclients without a valid attestation will be rejected, as will any request\noriginating from an app or platform you haven't authorized.\n\nApp Check has built-in support for using the following services as\nattestation providers:\n\n- [DeviceCheck](https://developer.apple.com/documentation/devicecheck) or [App Attest](https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity) on Apple platforms\n- [Play Integrity](https://developer.android.com/google/play/integrity) on Android\n- [reCAPTCHA Enterprise](https://cloud.google.com/recaptcha-enterprise) on web apps.\n\nIf these are insufficient for your needs, you can also implement your own\nservice that uses either a third-party attestation provider or your own\nattestation techniques.\n\nApp Check works with the following Google services:\n\n| Supported Firebase and Google Cloud services |\n|------------------------------------------------------------------------------------------------------------|\n| Firebase Authentication (Preview) |\n| Firebase Data Connect |\n| Cloud Firestore |\n| Firebase Realtime Database |\n| Cloud Storage for Firebase |\n| Cloud Functions for Firebase (callable functions only) |\n| Firebase AI Logic |\n| [Maps JavaScript API](https://developers.google.com/maps/documentation/javascript/overview) (Preview) |\n| [Places API (New)](https://developers.google.com/maps/documentation/places/web-service/overview) (Preview) |\n| [Google Identity for iOS](https://developers.google.com/identity/sign-in/ios/appcheck) |\n\nYou can also use App Check to protect your non-Google custom backend\nresources, like your own self-hosted backend.\n\n[Learn how to get started](#get_started)\n\nHow does it work?\n\nWhen you enable App Check for a service and include the client SDK\nin your app, the following happens periodically:\n\n1. Your app interacts with the provider of your choice to obtain an attestation of the app or device's authenticity (or both, depending on the provider).\n2. The attestation is sent to the App Check server, which verifies the validity of the attestation using parameters registered with the app, and returns to your app an App Check token with an expiration time. This token might retain some information about the attestation material it verified.\n3. The App Check client SDK caches the token in your app, ready to be sent along with any requests your app makes to protected services.\n\nA service protected by App Check only accepts requests accompanied\nby a current, valid App Check token.\n\nHow strong is the security provided by App Check?\n\nApp Check relies on the strength of its attestation providers to determine\napp or device authenticity. It prevents some, but not all, abuse vectors\ndirected towards your backends. Using App Check does not guarantee\nthe elimination of all abuse, but by integrating with App Check, you are\ntaking an important step towards abuse protection for your backend resources.\n\nHow is App Check related to Firebase Authentication?\n\nApp Check and Firebase Authentication are complementary parts of your app security\nstory. Firebase Authentication provides user authentication, which protects your\nusers, whereas App Check provides attestation of app or device authenticity,\nwhich protects you, the developer. App Check guards access to your Google\nbackend resources and custom backends by requiring API calls to contain a valid\nApp Check token. These two concepts work together to help secure your app.\n\nQuotas \\& limits\n\nYour use of App Check is subject to the quotas and limits of the attestation\nproviders you use.\n\n- DeviceCheck and App Attest access is subject to any quotas or limitations set\n by Apple.\n\n- Play Integrity has a daily quota of 10,000 calls for its Standard API usage\n tier. For information on raising your usage tier, see the\n [Play Integrity documentation](https://developer.android.com/google/play/integrity/overview#usage-tiers).\n\n- reCAPTCHA Enterprise is no-cost for 10,000 assessments each month, and has a\n cost beyond that. See [reCAPTCHA pricing](https://cloud.google.com/security/products/recaptcha#pricing).\n\nGet started\n\nReady to get started?\n\nApple platforms\n\n[DeviceCheck](/docs/app-check/ios/devicecheck-provider)\n[App Attest](/docs/app-check/ios/app-attest-provider)\n\nAndroid\n\n[Play Integrity](/docs/app-check/android/play-integrity-provider)\n\nWeb\n\n[reCAPTCHA Enterprise](/docs/app-check/web/recaptcha-enterprise-provider)\n\nFlutter\n\n[Default providers](/docs/app-check/flutter/default-providers)\n\nUnity\n\n[Default providers](/docs/app-check/unity/default-providers)\n\nC++\n\n[Default providers](/docs/app-check/cpp/default-providers)\n\nLearn how to implement a custom App Check provider\n\n[Custom providers](/docs/app-check/custom-provider)\n\nLearn how to use App Check to protect your custom backend resources\n\nSelect your platform:\n\n[iOS+](/docs/app-check/ios/custom-resource)\n[Android](/docs/app-check/android/custom-resource)\n[Web](/docs/app-check/web/custom-resource)\n[Flutter](/docs/app-check/flutter/custom-resource)\n[Unity](/docs/app-check/unity/custom-resource)\n[C++](/docs/app-check/cpp/custom-resource)"]]
