Enable App Check enforcement

When you understand how App Check will affect your users and you're ready to proceed, you can enable App Check enforcement.

The following steps describe how to enable enforcement for Firebase AI Logic, SQL Connect, Realtime Database, Cloud Firestore, Cloud Storage, Authentication, Google Identity for iOS, Maps JavaScript API, and Places API (New). Once you enable enforcement for a product, all unverified requests to that product will be rejected.

  1. In the Firebase console, navigate to Security > App Check.

  2. Expand the metrics view of the product for which you want to enable enforcement.

  3. Click Enforce and confirm your choice.

Note that it can take up to 15 minutes after you enable enforcement for it to take effect.

Replay protection (beta)

By default, App Check uses session tokens which have a configurable time to live (TTL) between 30 minutes and 7 days. These session tokens are cached by the App Check SDK, are sent along with requests from your app, and can be re-used until their TTL expires. Using session tokens is considered baseline protection.

To enhance protection beyond the baseline protection offered by App Check, you can optionally enforce replay protection. Here's what happens when you enforce replay protection:

  • App Check will block requests to the protected API that use session tokens. Instead, App Check will only allow a request to the protected API that uses a newly-minted limited-use token. See the product-specific documentation for how to enable usage of limited-use tokens in your app.

  • After the limited-use token is verified, the token is consumed so that it can be used only once, which prevents replay attacks.

  • The App Check SDK will generate a new token for each request. This process can impact your requests by adding some latency and sometimes cost (depending on your attestation provider).

Here's how to enforce replay protection:

  1. In your app's codebase, enable usage of limited-use tokens. See product-specific documentation for these instructions:

  2. In the Firebase console, navigate to Security > App Check.

  3. Expand the metrics view for the protected API.

  4. Make sure Baseline protection is Enforced, then click Continue.

  5. For replay protection, choose either Unenforced (monitoring only) or Enforced.

    Consider the following to decide when to enforce replay protection:

    • Monitoring your requests is recommended if a substantial number of your users are likely using earlier versions of your app without limited-use tokens enabled. If you enforce replay protection immediately, requests from those users will be blocked.

    • In the Security > App Check > APIs tab of the Firebase console, you can monitor the Unverified: Reused token metric, which is the number of requests that have a token which has already been used in a previous request. If a significant portion of the recent requests are in this category, you should avoid disrupting users and consider waiting for more users to update your app before enabling enforcement.