Endurative

Firebase App Check With React Native Applications in 2025

What is Firebase App Check?

Firebase App Check helps secure your backend resources by ensuring that incoming requests come from your authentic, verified app—not from scripts, bots, or tampered versions.

When your app is installed via a trusted source (like Google Play), Firebase generates a time-sensitive, cryptographically signed token. This token can then be passed to your backend to verify the legitimacy of the request.

This is especially critical for mobile apps built with frameworks like React Native, where the application code can be decompiled and inspected—exposing sensitive API endpoints that could otherwise be misused and potentially drive up backend service costs.

How to Implement Firebase App Check

Step 1: Setup Local SHA-256 Key

To enable App Check locally:

1: Generate a Keystore File

Follow Android documentation to create a keystore file.

2: Extract SHA-256 Fingerprint

Navigate to your Android project directory and run

cd android
./gradlew signingReport

Look for the SHA-256 value under the release/debug signing config.

3: Register SHA-256 for Firebase App Check

  1. Go to Firebase Console → Select Your Project
  2. Navigate to Build → App Check
  3. Under Apps, choose your Android app
  4. Click “Manage Debug Tokens” or “Add Debug Provider” depending on your UI
  5. Enter a recognizable name (e.g., Local Debug Device) and paste your SHA-256 key
  6. Click Register to save the token.

Step 2: Install Required Dependencies

npm install @react-native-firebase/app @react-native-firebase/app-check

Ensure your google-services.json file is placed in:

android/app/google-services.json

Step 3: Get App Check Token on the Client

Create a utility function in your app to retrieve the App Check token:

import appCheck from "@react-native-firebase/app-check";

export const getAppCheckToken = async () => {
try {
const { token } = await appCheck().getToken();
return token;
} catch (error) {
console.error("Error getting App Check token:", error);
return null;
}
};
// Use the token in your API requests:

const token = await getAppCheckToken();
if (!token) throw new Error("No App Check token available");

const response = await axios.get("YOUR_API_ENDPOINT", {
headers: {
"X-Firebase-AppCheck": token,
},
});

Backend Configuration

Step 4: Secure Your Server with Firebase Admin SDK

1: Generate Service Account Key

  1. Go to Firebase Console → Project Settings → Service Accounts
  2. Click Generate New Private Key and download the file

2: Store the Key Securely

  1. Keep the file confidential — never expose it publicly, especially in version control (e.g., GitHub)
  2. Extract the following values and store them safely in your .env file:
FIREBASE_PROJECT_ID=your_project_id
FIREBASE_CLIENT_EMAIL=your_client_email
FIREBASE_PRIVATE_KEY="your_private_key_with_proper_escaping"
  1. Install Firebase Admin
npm install firebase-admin
  1. Initialize Firebase Admin in Your Backend
import admin from 'firebase-admin';

admin.initializeApp({
credential: admin.credential.cert({
projectId: process.env.FIREBASE_PROJECT_ID,
privateKey: process.env.FIREBASE_PRIVATE_KEY?.replace(/\\n/g, '\n'),
clientEmail: process.env.FIREBASE_CLIENT_EMAIL,
}),
});

Step 5: Verify Token Middleware

Create a middleware to verify the App Check token:

import admin from "firebase-admin";

export async function verifyAppCheckToken(req, res, next) {
try {
const appCheckToken = req.header("x-firebase-appcheck");
if (!appCheckToken) {
return res.status(401).json({ error: "Missing App Check token" });
}

const decodedToken = await admin.appCheck().verifyToken(appCheckToken);
if (!decodedToken) {
return res.status(401).json({ error: "Invalid App Check token" });
}

next();
} catch (err) {
console.error("App Check verification failed:", err);
return res.status(401).json({ error: "App Check verification failed" });
}
}

Use it on protected routes like:

app.get('/secure-endpoint', verifyAppCheckToken, handlerFunction);

Production Notes (Google Play Store)

For production builds:

  1. Visit Google Play Console → Your App → App Integrity.
  2. Scroll to the App Signing section.
  3. Click Settings → Copy the SHA-256 certificate.
  4. Replace your debug/local key with this one in Firebase Console.

This ensures App Check validation works with production-signed APKs.

Firebase App Check adds a robust security layer for backend resources by validating requests with device-level attestation. When combined with best practices in API design and secure key management, it significantly reduces the risk of abuse, fraud, and unauthorized data access.