Method: projects.verifyAppCheckToken
Stay organized with collections
Save and categorize content based on your preferences.
Verifies the given App Check token and returns token usage signals that callers may act upon. This method currently only supports App Check tokens exchanged from the following attestation providers:
-
Play Integrity API
-
App Attest
-
DeviceCheck (
DCDevice
tokens)
-
reCAPTCHA Enterprise
-
reCAPTCHA v3
-
Custom providers
App Check tokens exchanged from debug secrets are also supported. Calling this method on an otherwise valid App Check token with an unsupported provider will cause an HTTP 400 error to be returned.
Returns whether this token was already consumed before this call. If this is the first time this method has seen the given App Check token, the field
alreadyConsumed
in the response will be absent. The given token will then be marked as
alreadyConsumed
(set to
true
) for all future invocations of this method for that token.
Note that if the given App Check token is invalid, an HTTP 403 error is returned instead of a response object, regardless whether the token was already consumed.
Currently, when evaluating whether an App Check token was already consumed, only calls to this exact method are counted. Use of the App Check token elsewhere will not mark the token as being already consumed.
The caller must have the
firebaseappcheck.appCheckTokens.verify
permission to call this method. This permission is part of the
Firebase App Check Token Verifier role
.
HTTP request
POST https://firebaseappcheck.googleapis.com/v1beta/{project=projects/*}:verifyAppCheckToken
The URL uses
gRPC Transcoding
syntax.
Path parameters
Parameters
|
project
|
string
Required. The relative resource name of the project for which the token was minted, in the format:
projects/{project_number}
If necessary, the
project_number
element can be replaced with the project ID of the Firebase project. Learn more about using project identifiers in Google's
AIP 2510
standard.
|
Request body
The request body contains data with the following structure:
JSON representation
|
{
"appCheckToken": string
}
|
Fields
|
appCheckToken
|
string
Required. The App Check token to verify.
App Check tokens exchanged from the SafetyNet provider are not supported; an HTTP 400 error will be returned.
|
Response body
Response message for the
projects.verifyAppCheckToken
method.
If successful, the response body contains data with the following structure:
JSON representation
|
{
"alreadyConsumed": boolean
}
|
Fields
|
alreadyConsumed
|
boolean
Whether this token was already consumed.
If this is the first time this method has seen the given App Check token, this field will be omitted from the response. The given token will then be marked as
alreadyConsumed
(set to
true
) for all future invocations of this method for that token.
Note that if the given App Check token is invalid, an HTTP 403 error is returned instead of a response containing this field, regardless whether the token was already consumed.
|
Authorization scopes
Requires one of the following OAuth scopes:
-
https://www.googleapis.com/auth/cloud-platform
-
https://www.googleapis.com/auth/firebase
For more information, see the
Authentication Overview
.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-04-05 UTC.
[null,null,["Last updated 2024-04-05 UTC."],[],[],null,["# Method: projects.verifyAppCheckToken\n\nVerifies the given App Check token and returns token usage signals that callers may act upon. This method currently only supports App Check tokens exchanged from the following attestation providers:\n\n- Play Integrity API\n- App Attest\n- DeviceCheck ( `\n DCDevice\n ` tokens)\n- reCAPTCHA Enterprise\n- reCAPTCHA v3\n- Custom providers\n\n\nApp Check tokens exchanged from debug secrets are also supported. Calling this method on an otherwise valid App Check token with an unsupported provider will cause an HTTP 400 error to be returned.\n\n\nReturns whether this token was already consumed before this call. If this is the first time this method has seen the given App Check token, the field\n`\n`[`\nalreadyConsumed\n`](/docs/reference/appcheck/rest/v1beta/projects/verifyAppCheckToken#body.VerifyAppCheckTokenResponse.FIELDS.already_consumed)`\n`\nin the response will be absent. The given token will then be marked as\n`\nalreadyConsumed\n`\n(set to\n`\ntrue\n`\n) for all future invocations of this method for that token.\n\n\nNote that if the given App Check token is invalid, an HTTP 403 error is returned instead of a response object, regardless whether the token was already consumed.\n\n\nCurrently, when evaluating whether an App Check token was already consumed, only calls to this exact method are counted. Use of the App Check token elsewhere will not mark the token as being already consumed.\n\n\nThe caller must have the\n[`\nfirebaseappcheck.appCheckTokens.verify\n`](https://firebase.google.com/docs/projects/iam/permissions#app-check)\npermission to call this method. This permission is part of the\n[Firebase App Check Token Verifier role](https://firebase.google.com/docs/projects/iam/roles-predefined-product#app-check)\n.\n\n### HTTP request\n\n\n`\nPOST https://firebaseappcheck.googleapis.com/v1beta/{project=projects/*}:verifyAppCheckToken\n`\n\n\nThe URL uses\n[gRPC Transcoding](https://google.aip.dev/127)\nsyntax.\n\n### Path parameters\n\n| Parameters ||\n|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| ` project ` | ` string ` Required. The relative resource name of the project for which the token was minted, in the format: projects/{project_number} If necessary, the ` project_number ` element can be replaced with the project ID of the Firebase project. Learn more about using project identifiers in Google's [AIP 2510](https://google.aip.dev/cloud/2510) standard. |\n\n### Request body\n\n\nThe request body contains data with the following structure:\n\n| JSON representation |\n|-------------------------------------|\n| ``` { \"appCheckToken\": string } ``` |\n\n| Fields ||\n|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| ` appCheckToken ` | ` string ` Required. The App Check token to verify. App Check tokens exchanged from the SafetyNet provider are not supported; an HTTP 400 error will be returned. |\n\n### Response body\n\n\nResponse message for the\n`\n`[projects.verifyAppCheckToken](/docs/reference/appcheck/rest/v1beta/projects/verifyAppCheckToken#google.firebase.appcheck.v1beta.TokenVerificationService.VerifyAppCheckToken)`\n`\nmethod.\n\n\nIf successful, the response body contains data with the following structure:\n\n| JSON representation |\n|----------------------------------------|\n| ``` { \"alreadyConsumed\": boolean } ``` |\n\n| Fields ||\n|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| ` alreadyConsumed ` | ` boolean ` Whether this token was already consumed. If this is the first time this method has seen the given App Check token, this field will be omitted from the response. The given token will then be marked as ` alreadyConsumed ` (set to ` true ` ) for all future invocations of this method for that token. Note that if the given App Check token is invalid, an HTTP 403 error is returned instead of a response containing this field, regardless whether the token was already consumed. |\n\n### Authorization scopes\n\n\nRequires one of the following OAuth scopes:\n\n- `\n https://www.googleapis.com/auth/cloud-platform\n `\n- `\n https://www.googleapis.com/auth/firebase\n `\n\n\nFor more information, see the\n[Authentication Overview](https://cloud.google.com/docs/authentication/)\n."]]