Enable App Check

Firebase App Check is a mandatory security step before releasing your app. It helps protect your Firebase resources from abuse by verifying that incoming requests are from your authentic apps.

Setup in Firebase Console

Go to Firebase Console > App Check
Enable App Check for each provider:
- Android: Play Integrity
- iOS: Device Check/App Attest
- Web: reCAPTCHA Enterprise
Enable App Check enforcement for each service:
- Realtime Database
- Cloud Storage
- Cloud Functions
- Cloud Firestore

Platform Setup

Each platform requires specific setup in the Firebase Console. Follow the official documentation for detailed steps:

Review Android App Check documentation
Enable Play Integrity API:
- Go to Google Cloud Console
- Enable Play Integrity API for your project
No code changes needed - Play Integrity is configured automatically

Review Web App Check documentation
Create reCAPTCHA Enterprise site key:
- Go to reCAPTCHA Admin Console
- Create a new site with your domain
- Choose reCAPTCHA Enterprise
Add site key to app/.env:
Terminal window
```
KEY_RECAPTCHA=your_site_key_here
```
Add secret key to Firebase Console:
- Go to App Check settings
- Configure reCAPTCHA Enterprise
- Add your secret key

Implementation

ShipFlutter automatically initializes App Check with the appropriate provider:

await FirebaseAppCheck.instance.activate(
  // Web: reCAPTCHA Enterprise
  webProvider: ReCaptchaEnterpriseProvider(Env.keyRecaptcha),

  // Android: Play Integrity or Debug Provider
  androidProvider: kDebugMode
    ? AndroidProvider.debug
    : AndroidProvider.playIntegrity,

  // iOS: Device Check/App Attest or Debug Provider
  appleProvider: kDebugMode
    ? AppleProvider.debug
    : AppleProvider.appAttestWithDeviceCheckFallback,
);

Debug Tokens

During development, you’ll need debug tokens to run your app in emulators or CI environments. ShipFlutter automatically handles this by using debug providers in development mode but you’ll need to set them up for each platform (official docs).

Enable debug logging in Xcode:
- Open Product > Scheme > Edit scheme
- Select Run > Arguments
- Add -FIRDebugEnabled to Arguments Passed on Launch

Run your app in Simulator

Firebase App Check Debug Token:
123a4567-b89c-12d3-e456-789012345678

Register token in Firebase Console:
- Go to App Check
- Select your app’s overflow menu
- Choose “Manage debug tokens”
- Add the token

Run your app in emulator

D DebugAppCheckProvider: Enter this debug secret into the allow list:
123a4567-b89c-12d3-e456-789012345678

Register token in Firebase Console:
- Go to App Check
- Select your app’s overflow menu
- Choose “Manage debug tokens”
- Add the token

Enable debug mode in web/index.html:

<body>
  <script>
    self.FIREBASE_APPCHECK_DEBUG_TOKEN = true;
  </script>
  ...
</body>

Run locally and check browser console for token:

AppCheck debug token: "123a4567-b89c-12d3-e456-789012345678"

Optional: Use specific token across browsers:

<script>
  self.FIREBASE_APPCHECK_DEBUG_TOKEN = "your-debug-token";
</script>

Debugging

If you encounter issues:

Check the App Check Status in Firebase Console

Verify debug provider is working in development:

if (kDebugMode) {
  print('Using App Check debug provider');
}

Test with enforcement disabled first:
- Disable enforcement in Firebase Console
- Test your app thoroughly
- Enable enforcement gradually per service
Monitor App Check metrics in Firebase Console:
- Token requests
- Verification success rate
- Error rates