Firebase App Check

Your public app key identifies an app, but it is not a secret: anyone who extracts it from your binary or traffic could replay your endpoint and burn your AI credits. App Check closes that gap: it proves a request came from your genuine, unmodified app on a real device before the proxy spends a token.

How it works with the proxy

  1. Your app obtains a short-lived App Check token from the Firebase SDK (backed by App Attest on iOS, Play Integrity on Android).
  2. It sends that token in the x-firebase-appcheck header, alongside the usual Authorization: Bearer <user-token> and x-mobileaiproxy-app-key headers.
  3. The proxy verifies the token's RS256 signature against Google's App Check JWKS, then checks the audience is projects/<your-project-number>, the issuer is Firebase App Check, and the timestamps are valid.
  4. Only if that passes does the request continue to user-token verification, policy checks, and the provider.

No app IDs required

App Check verifies against your Firebase project numberalone: the token's audience and issuer are scoped to the project, so the signature proves it came from an app in that project. You do notneed to enumerate individual Firebase app IDs. The only prerequisite is the project number, which you'll find in Firebase → Project settings → General and enter in your app's Auth config.

Enforce vs audit

App Check has two switches on the Auth config:

StateBehavior at the proxy
OffApp Check tokens are never checked. Any valid user token is accepted.
On + enforce (default)A missing or invalid App Check token is rejected. This is the recommended, protective setting.
On + audit (enforce off)Tokens are verified when present but never block a request. Use this to roll App Check out and watch for breakage before enforcing.

Turn enforcement on ("Reject requests without a valid App Check token") once you confirm your shipped clients actually send the header. App Check requires the Pro or Max plan.

Set it up

  1. In the Firebase console, enable App Check and register App Attest (iOS) and Play Integrity (Android) for your app.
  2. Initialize App Check in your client and call getToken()to mint a token per request (or use the SDK's automatic refresh).
  3. Attach the token to every proxy call as x-firebase-appcheck.
  4. In the dashboard, open your app's Auth config, make sure the Firebase project number is set, tick Verify App Check tokens, then enable enforcement when you're ready.

See the configuration referencefor the Auth config and the rest of an app's settings.