Firebase App Check API

Name: Firebase App Check API API
Brand: Firebase App Check API
Availability: InStock

✓ Official Vendor SpecSecurityThreat Detectionoauth227 EndpointsREST

For Agents

Exchange platform attestation tokens for Firebase App Check tokens and manage App Check provider configurations so an agent can lock backend resources to genuine app traffic.

Quickstart

Get started with Firebase App Check API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"exchange a play integrity token for an app check token"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Firebase App Check API API.

Exchange Apple App Attest, DeviceCheck, and Play Integrity tokens for App Check tokens

Verify reCAPTCHA Enterprise and reCAPTCHA v3 site tokens against an App Check resource

Generate App Attest challenges and Play Integrity challenges for client attestation flows

Configure per-service App Check enforcement for Firestore, Realtime Database, and Storage

GET STARTED

Start building with Firebase App Check API API

Explore with Jentic

View OpenAPI Document

Use for: Exchange a Play Integrity token for a Firebase App Check token, Generate an App Attest challenge for an iOS client, Configure App Check enforcement for the Firestore service, List all App Check debug tokens for an Android app

Not supported: Does not authenticate end users, scan code for vulnerabilities, or replace Firebase Security Rules — use for attesting app authenticity and enforcing App Check on Firebase services only.

The Firebase App Check API helps protect backend resources from abuse such as billing fraud and phishing by attesting that traffic originates from your genuine app. It supports multiple attestation providers including App Attest, Play Integrity, DeviceCheck, reCAPTCHA Enterprise, reCAPTCHA v3, and SafetyNet, exchanging provider tokens for short-lived App Check tokens. Use it to enforce app authenticity for Firestore, Realtime Database, Cloud Functions, and other Firebase backends.

Use Cases

Patterns agents use Firebase App Check API API for, with concrete tasks.

★ Backend Abuse Protection for Firestore

Lock Firestore reads and writes to traffic that has been attested by App Check, blocking direct API hits from emulators, scraped credentials, or modified app binaries. The API exposes service config endpoints under projects/{project}/services/{service} so enforcement can be toggled to UNENFORCED, AUDIT, or ENFORCED per service. Rolling out enforcement typically takes a release cycle to gather audit data before turning on full enforcement.

Call PATCH /v1/{+name} on projects/PROJECT/services/firestore.googleapis.com with enforcementMode=ENFORCED and confirm via GET /v1/{+name} that the new mode is set.

iOS App Attest Token Exchange

Exchange an Apple App Attest assertion or attestation produced on the device for a short-lived Firebase App Check token used in subsequent Firebase requests. The flow uses generateAppAttestChallenge to issue a challenge and exchangeAppAttestAttestation or exchangeAppAttestAssertion to redeem it. This proves the request came from a genuine, unmodified iOS app.

Call POST /v1/{+app}:generateAppAttestChallenge for an iOS app, then POST /v1/{+app}:exchangeAppAttestAttestation with the device-signed attestation and store the returned App Check token.

Android Play Integrity Verification

Validate Android client requests by exchanging a Play Integrity token from the Google Play Integrity API for a Firebase App Check token. The exchangePlayIntegrityToken endpoint lets backends trust that requests come from a Play-distributed binary running on a non-tampered device. This is the recommended attestation provider for current production Android apps.

Call POST /v1/{+app}:exchangePlayIntegrityToken with playIntegrityToken set to the JWS produced by Play Integrity for the Android app and store the returned token in the request header X-Firebase-AppCheck.

Agent-Managed App Check Rollout via Jentic

An AI agent connected to Jentic can configure and gradually roll out App Check enforcement across Firebase services in response to a security review. Jentic exposes the 27 App Check endpoints, the agent loads service config and debug-token operations, and the OAuth 2.0 flow stays inside the Jentic vault rather than the agent context.

Through Jentic, search for configure firebase app check enforcement, load the services.patch operation, and execute it with name=projects/PROJECT/services/firebasestorage.googleapis.com and enforcementMode=AUDIT.

Key Endpoints

27 endpoints — the firebase app check api helps protect backend resources from abuse such as billing fraud and phishing by attesting that traffic originates from your genuine app.

METHOD

PATH

DESCRIPTION

POST

/v1/{+app}:exchangePlayIntegrityToken

Exchange a Play Integrity token for an App Check token

POST

/v1/{+app}:exchangeAppAttestAttestation

Exchange an Apple App Attest attestation for an App Check token

POST

/v1/{+app}:exchangeRecaptchaEnterpriseToken

Exchange a reCAPTCHA Enterprise token for an App Check token

POST

/v1/{+app}:generateAppAttestChallenge

Generate a challenge for the App Attest flow

POST

/v1/{+app}:exchangeDebugToken

Exchange a debug token for an App Check token

POST

/v1/{+app}:exchangeCustomToken

Exchange a custom token for an App Check token

POST

/v1/{+app}:exchangePlayIntegrityToken

Exchange a Play Integrity token for an App Check token

POST

/v1/{+app}:exchangeAppAttestAttestation

Exchange an Apple App Attest attestation for an App Check token

POST

/v1/{+app}:exchangeRecaptchaEnterpriseToken

Exchange a reCAPTCHA Enterprise token for an App Check token

POST

/v1/{+app}:generateAppAttestChallenge

Generate a challenge for the App Attest flow

POST

/v1/{+app}:exchangeDebugToken

Exchange a debug token for an App Check token

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google OAuth 2.0 service-account credentials are stored in the Jentic vault. Agents receive scoped access tokens for management calls and never see the underlying private key, while platform attestation tokens stay client-side as designed.

Intent-based discovery

Agents search Jentic with intents like exchange a play integrity token or configure firebase app check enforcement and Jentic returns the matching exchangePlayIntegrityToken or services.patch operations with their input schemas.

Time to first call

Direct integration with App Check: 3-7 days covering provider setup, client SDK changes, audit-mode rollout, and full enforcement. Through Jentic: under 1 hour for management calls; client-side attestation still requires the platform SDK.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Firebase Management API

Registers the apps that App Check then attests.

Choose Firebase Management to create the app resources first; use App Check afterwards to enforce attestation on traffic to those apps.

Complementary

Firebase Rules API

Enforces per-resource access rules that work alongside App Check.

Choose Firebase Rules for per-document or per-path authorisation; use App Check to ensure the calling client itself is authentic before rules even run.

Alternative

Google Identity Toolkit API

Authenticates end users rather than attesting app authenticity.

Choose Identity Toolkit when the question is about user identity; use App Check when the question is about whether the request came from a genuine app binary.

FAQs

Specific to using Firebase App Check API API through Jentic.

What authentication does the Firebase App Check API use?

Management endpoints (service configs, debug tokens, attestation configs) use Google OAuth 2.0 with the firebase or cloud-platform scope. Token exchange endpoints accept the platform attestation token (App Attest, Play Integrity, reCAPTCHA, etc.) directly. Through Jentic, OAuth credentials live in the encrypted vault and never enter agent context.

Can I exchange a Play Integrity token for an App Check token via the Firebase App Check API?

Yes. POST /v1/{+app}:exchangePlayIntegrityToken takes a Play Integrity JWS in the playIntegrityToken field and returns a short-lived App Check token suitable for the X-Firebase-AppCheck header on Firestore, Realtime Database, Cloud Storage, and Cloud Functions calls.

What are the rate limits for the Firebase App Check API?

Google enforces standard per-project quotas on the App Check API. Token exchange endpoints are designed for per-request invocation and scale with your app's traffic; management endpoints (service config, debug tokens) are subject to lower per-minute quotas typical of management APIs.

How do I enforce App Check on Firestore through Jentic?

Run pip install jentic, search for configure firebase app check enforcement, load the services.patch operation, and execute it with name=projects/PROJECT/services/firestore.googleapis.com and enforcementMode=ENFORCED. Sign up at https://app.jentic.com/sign-up.

Does the Firebase App Check API support reCAPTCHA Enterprise?

Yes. POST /v1/{+app}:exchangeRecaptchaEnterpriseToken accepts a reCAPTCHA Enterprise token from a Web client and returns an App Check token. There is also exchangeRecaptchaV3Token for reCAPTCHA v3 site keys.

Is the Firebase App Check API free?

App Check itself is included with Firebase at no extra charge under typical usage. Underlying provider services such as reCAPTCHA Enterprise are billed separately according to their own pricing.