EnforcementMode

The enforcement mode for a Google service supported by App Check, or for a child resource of such a service. This enforcement mode can be applied to App Check's baseline protection or, separately, to additional protections such as replay protection.

Note: Enforcement on these additional protections cannot be set to a level higher than that of baseline protection; for example, if baseline protection is set to UNENFORCED, replay protection cannot be set to ENFORCED. Currently, replay protection is the only available additional protection on top of baseline protection.

Enums
OFF

When a particular protection is set to this mode, that protection is not applied for the service or resource, nor are metrics related to that protection collected.

Though the relevant App Check protection is not applied, other applicable protections outside of App Check, such as user authorization, are still applied.

An unconfigured EnforcementMode is in this mode by default.

UNENFORCED

When a particular protection is set to this mode, that protection is not enforced for the service or resource. Metrics related to that protection are collected to help you decide when to turn on enforcement. These metrics will show the portion of traffic that is deemed invalid by that protection, but that traffic will not be rejected until you turn on enforcement.

This UNENFORCED mode is also known as monitoring-only mode.

Though the relevant App Check protection is not enforced, other applicable protections outside of App Check, such as user authorization, are still applied.

Some services require certain conditions to be met before they will work with App Check, such as requiring you to upgrade to a specific service tier. Until those requirements are met for a service, this UNENFORCED setting will have no effect and App Check will not work with that service.

ENFORCED

When a particular protection is set to this mode, that protection is enforced for the service or resource. It will reject any traffic not accompanied by an App Check token that it deems valid. There are some exceptions depending on the service; for example, some services will still allow requests bearing the developer's privileged service account credentials without an App Check token. App Check metrics continue to be collected to help you detect issues with your App Check integration and monitor the composition of your callers.

While the service is protected by App Check, other applicable protections outside of App Check, such as user authorization, continue to be applied at the same time.

Use caution when choosing to enforce App Check protections. If your users have not updated to a version of your app that meets the requirements of the relevant App Check protection, their app may stop working. App Check metrics can help you decide when to enforce that protection on your services and resources.

If you have not yet published your app, you should enable enforcement as soon as you verify that your App Check implementation is correct, since there are no outdated clients in use.

Some services require certain conditions to be met before they will work with App Check, such as requiring you to upgrade to a specific service tier. Until those requirements are met for a service, this ENFORCED setting will have no effect and App Check will not work with that service.