Enable App Check
Firebase App Check is a mandatory security step before releasing your app. It helps protect your Firebase resources from abuse by verifying that incoming requests are from your authentic apps.
Setup in Firebase Console
Enable App Check for each provider:
- Android: Play Integrity
- iOS: Device Check/App Attest
- Web: reCAPTCHA Enterprise
Enable App Check enforcement for each service:
- Realtime Database
- Cloud Storage
- Cloud Functions
- Cloud Firestore
Platform Setup
Each platform requires specific setup in the Firebase Console. Follow the official documentation for detailed steps:
Enable Play Integrity API:
- Go to Google Cloud Console
- Enable Play Integrity API for your project
No code changes needed - Play Integrity is configured automatically
Review iOS App Check documentation
Enable App Attest:
- Configure your app in App Store Connect
- Enable App Attest capability
No code changes needed - Device Check/App Attest is configured automatically
Review Web App Check documentation
Create reCAPTCHA Enterprise site key:
- Go to reCAPTCHA Admin Console
- Create a new site with your domain
- Choose reCAPTCHA Enterprise
Add site key to
:Terminal window KEY_RECAPTCHA=your_site_key_here -
Add secret key to Firebase Console:
- Go to App Check settings
- Configure reCAPTCHA Enterprise
- Add your secret key
ShipFlutter automatically initializes App Check with the appropriate provider:
await FirebaseAppCheck.instance.activate( // Web: reCAPTCHA Enterprise webProvider: ReCaptchaEnterpriseProvider(Env.keyRecaptcha),
// Android: Play Integrity or Debug Provider androidProvider: kDebugMode ? AndroidProvider.debug : AndroidProvider.playIntegrity,
// iOS: Device Check/App Attest or Debug Provider appleProvider: kDebugMode ? AppleProvider.debug : AppleProvider.appAttestWithDeviceCheckFallback,);
Debug Tokens
During development, you’ll need debug tokens to run your app in emulators or CI environments. ShipFlutter automatically handles this by using debug providers in development mode but you’ll need to set them up for each platform (official docs).
Enable debug logging in Xcode:
- Open Product > Scheme > Edit scheme
- Select Run > Arguments
- Add
to Arguments Passed on Launch
Run your app in Simulator
Firebase App Check Debug Token:123a4567-b89c-12d3-e456-789012345678 -
Register token in Firebase Console:
- Go to App Check
- Select your app’s overflow menu
- Choose “Manage debug tokens”
- Add the token
Run your app in emulator
D DebugAppCheckProvider: Enter this debug secret into the allow list:123a4567-b89c-12d3-e456-789012345678 -
Register token in Firebase Console:
- Go to App Check
- Select your app’s overflow menu
- Choose “Manage debug tokens”
- Add the token
Enable debug mode in
:<body><script>self.FIREBASE_APPCHECK_DEBUG_TOKEN = true;</script>...</body> -
Run locally and check browser console for token:
AppCheck debug token: "123a4567-b89c-12d3-e456-789012345678" -
Register token in Firebase Console
Optional: Use specific token across browsers:
<script>self.FIREBASE_APPCHECK_DEBUG_TOKEN = "your-debug-token";</script>
If you encounter issues:
Check the App Check Status in Firebase Console
Verify debug provider is working in development:
if (kDebugMode) {print('Using App Check debug provider');} -
Test with enforcement disabled first:
- Disable enforcement in Firebase Console
- Test your app thoroughly
- Enable enforcement gradually per service
Monitor App Check metrics in Firebase Console:
- Token requests
- Verification success rate
- Error rates