Firebase App Check API

Firebase App Check API protects backend APIs to accept only requests from legitimate apps — preventing abuse, credential misuse, and bot attacks.

Visit site ↗Health checked 9h ago

Use it when

Uses platform-native attestation (iOS App Attest, Android Play Integrity, web reCAPTCHA Enterprise)

Watch for

Web side uses reCAPTCHA — may block some users

First check

Client integrates App Check SDK to obtain attestation tokens, attaching them to requests. Backend verifies tokens via App Check API. Firebase products (Firestore, Functions) can enable enforcement with one click.

Auth

—

CORS

HTTPS

Yes

Signup

Latency

45 ms

Protocol

REST

Pricing

—

Uptime · 30-day window

Probes: 1Uptime: 100%Avg latency: 45ms

About this API

App Check solves a classic problem: you built an iOS/Android/web app with Firebase Firestore as backend, but someone reverse-engineers the app to get the API key and scripts massive Firestore calls — your quota burns out, data is maliciously written. App Check makes Firestore accept only requests from "things that can prove they're a real app". Attestation uses platform-native capabilities: iOS uses App Attest (Secure Enclave), Android uses Play Integrity (device + app integrity signatures), web uses reCAPTCHA Enterprise (behavioral analysis). SDK auto-obtains tokens; backend auto-verifies. Combined with Firebase products (Firestore, Realtime Database, Cloud Functions, Storage), one-click enforcement enable. Strongly recommended for any serious Firebase app.

What you can build

1Prevent others from misusing leaked API keys to call your backend
2Restrict Firestore access to legitimate iOS/Android/web apps only
3Protect Cloud Functions from bot abuse
4Prevent client-side rate-limit bypass

Strengths & limitations

Strengths

Uses platform-native attestation (iOS App Attest, Android Play Integrity, web reCAPTCHA Enterprise)
Native integration with Firebase backend (one-click enable)
No friction for legitimate users

Limitations

Web side uses reCAPTCHA — may block some users
Jailbroken / rooted devices can still bypass attestation

Example request

Generic template — replace <endpoint> with the real path from the docs.

curl https://google.com/<endpoint>

Getting started

FAQ

Does it impact legitimate user performance?+

Negligible. Tokens are client-cached and reused for a period.

Does it fully defend against rooted/jailbroken-device attacks?+

Not 100%. Play Integrity and App Attest refuse to sign tokens on rooted/jailbroken devices, but attackers can attempt forgery. Raises the bar; not absolute defense.

Technical details

CORS: NoHTTPS: YesSignup: ?Open source: No

Auth type: unknown
Pricing: unknown
Protocols: REST
SDKs: javascript, typescript, swift, kotlin, go, java
Response time: 45 ms
Last health check: 5/12/2026, 7:37:31 AM

More from Google

View all from Google →

Admin SDK API

Google Workspace Admin SDK API programmatically manages Workspace organizations — users, groups, devices, domains, audit logs, organizational units.

AdMob API

Retrieve AdMob accounts, apps, ad units, ad sources, and generate mediation or network reports.

AdSense Host API

Work with AdSense Host accounts, ad clients, ad units, reports, and ad code generation from one API surface.

Apigee API

Programmatically manage Apigee organizations, API proxy deployments, attributes, certificates, and hybrid operations.

BigQuery API

Google BigQuery API is the REST interface to GCP's flagship data warehouse — execute SQL queries, manage datasets/tables, stream inserts, and use built-in ML.

Binary Authorization API

Control Binary Authorization attestors and policy checks for container images deployed to GKE and Anthos.

Business Profile Performance API

Fetch Business Profile location metrics, daily time series, and monthly search keyword impressions.

Calendar API

Google Calendar API lets apps create, read, and update calendar events programmatically — the go-to integration for scheduling apps.