Skip to main content

App Check (with reCAPTCHA)

Last Updated: 15 Apr 2024
note

This feature works in Browser/HTML5 Export only

Step 1: Set up your Firebase Project

note from firebase
App Check supports reCAPTCHA Enterprise, which has more security features and fraud signals than reCAPTCHA v3. reCAPTCHA Enterprise gives you up to 1 million assessments per month at no cost, which is equal to reCAPTCHA v3's total monthly quota.
You should use reCAPTCHA Enterprise for new integrations, and we strongly recommend that developers of apps using reCAPTCHA v3 upgrade when possible.
To learn the differences between reCAPTCHA v3 and reCAPTCHA Enterprise, see the comparison of features.

  1. Open the reCAPTCHA Enterprise section of the Cloud console and do the following:

    • If you're prompted to enable the reCAPTCHA Enterprise API, do so.
    • Create a Website-type key. You will need to specify domains on which you host your web app. Leave the "Use checkbox challenge" option unselected.

  2. Register your apps to use App Check with the reCAPTCHA Enterprise provider in the App Check section of the Firebase console. You will need to provide the site key you got in the previous step. You usually need to register all of your project's apps, because once you enable enforcement for a Firebase product, only registered apps will be able to access the product's backend resources.

  3. Optional: In the app registration settings, set a custom time-to-live (TTL) for App Check tokens issued by the provider. You can set the TTL to any value between 30 minutes and 7 days. When changing this value, be aware of the following tradeoffs:

    • Security: Shorter TTLs provide stronger security, because it reduces the window in which a leaked or intercepted token can be abused by an attacker.
    • Performance: Shorter TTLs mean your app will perform attestation more frequently. Because the app attestation process adds latency to network requests every time it's performed, a short TTL can impact the performance of your app.
    • Quota and cost: Shorter TTLs and frequent re-attestation deplete your quota faster, and for paid services, potentially cost more. See Quotas & limits.
note

The default TTL of 1 day is reasonable for most apps. Note that the App Check library refreshes tokens at approximately half the TTL duration.



Step 2: Firebase SDK Plugin Property

  1. In your Construct 3 Editor, go to Firebase SDK Plugin Property.
  2. Enable App Check
  3. Enter your reCAPTCHA Site Key.



Step 3: Monitor metrics and Enable enforcement

Once the App Check library is installed in your app, deploy it.

The updated client app will begin sending App Check tokens along with every request it makes to Firebase, but Firebase products will not require the tokens to be valid until you enable enforcement in the App Check section of the Firebase console.

1. Monitor metrics

Before you enable enforcement, you should make sure that doing so won't disrupt your existing legitimate users. On the other hand, if you're seeing suspicious use of your app resources, you might want to enable enforcement sooner.

To help make this decision, you can look at App Check metrics for the services you use:

2. Enable App Check Enforcement

When you understand how App Check will affect your users and you're ready to proceed, you can enable App Check enforcement:



NOTE FROM FIREBASE ON COST
App Check creates an assessment on your behalf to validate the user's response token each time a browser running your web app refreshes its App Check token. Your project will be charged for each assessment created above the no-cost quota. See reCAPTCHA Enterprise pricing for details.
By default, your web app will refresh this token twice every 1 hour. To control how frequently your app refreshes App Check tokens (and thus how frequently new assessments are created), configure their TTL.
Portions of this page are modifications based on work created and shared by Google and used according to terms described in the Creative Commons 4.0 Attribution License.