v4.12.0 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jul 12, 2023 License: Apache-2.0 Imports: 7 Imported by: 3



Package appcheck provides functionality for verifying App Check tokens.



This section is empty.


View Source
var (
	// ErrIncorrectAlgorithm is returned when the token is signed with a non-RSA256 algorithm.
	ErrIncorrectAlgorithm = errors.New("token has incorrect algorithm")
	// ErrTokenType is returned when the token is not a JWT.
	ErrTokenType = errors.New("token has incorrect type")
	// ErrTokenClaims is returned when the token claims cannot be decoded.
	ErrTokenClaims = errors.New("token has incorrect claims")
	// ErrTokenAudience is returned when the token audience does not match the current project.
	ErrTokenAudience = errors.New("token has incorrect audience")
	// ErrTokenIssuer is returned when the token issuer does not match Firebase's App Check service.
	ErrTokenIssuer = errors.New("token has incorrect issuer")
	// ErrTokenSubject is returned when the token subject is empty or missing.
	ErrTokenSubject = errors.New("token has empty or missing subject")
View Source
var JWKSUrl = ""

JWKSUrl is the URL of the JWKS used to verify App Check tokens.


This section is empty.


type Client

type Client struct {
	// contains filtered or unexported fields

Client is the interface for the Firebase App Check service.

func NewClient

func NewClient(ctx context.Context, conf *internal.AppCheckConfig) (*Client, error)

NewClient creates a new instance of the Firebase App Check Client.

This function can only be invoked from within the SDK. Client applications should access the the App Check service through firebase.App.

func (*Client) VerifyToken

func (c *Client) VerifyToken(token string) (*DecodedAppCheckToken, error)

VerifyToken verifies the given App Check token.

VerifyToken considers an App Check token string to be valid if all the following conditions are met:

  • The token string is a valid RS256 JWT.
  • The JWT contains valid issuer (iss) and audience (aud) claims that match the issuerPrefix and projectID of the tokenVerifier.
  • The JWT contains a valid subject (sub) claim.
  • The JWT is not expired, and it has been issued some time in the past.
  • The JWT is signed by a Firebase App Check backend server as determined by the keySource.

If any of the above conditions are not met, an error is returned. Otherwise a pointer to a decoded App Check token is returned.

type DecodedAppCheckToken

type DecodedAppCheckToken struct {
	Issuer    string
	Subject   string
	Audience  []string
	ExpiresAt time.Time
	IssuedAt  time.Time
	AppID     string
	Claims    map[string]interface{}

DecodedAppCheckToken represents a verified App Check token.

DecodedAppCheckToken provides typed accessors to the common JWT fields such as Audience (aud) and ExpiresAt (exp). Additionally it provides an AppID field, which indicates the application ID to which this token belongs. Any additional JWT claims can be accessed via the Claims map of DecodedAppCheckToken.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL