firebasegoogle-cloud-platformfirebase-authenticationgoogle-cloud-functionsaccess-token

idToken not recommended for API calls


As per documentation I've seen, it appears it's not recommended to authenticate API calls coming from a mobile, using a user idToken. For such cases, accessToken is more suitable. (Source : ID Tokens should never be used to obtain direct access to APIs )

However, in my architecture, I have:

So I'm ok to do on the front/mobile side:

However, I do not find anything, to validate the accessToken server side (I only find how to validate idToken ).

How is it supposed to work in an ideal world?

Thanks

Using idToken to authenticate my users (mobile App) on my API, but I would like to follow all best practices.


Solution

  • As per documentation I've seen, it appears it's not recommended to authenticate API calls coming from a mobile, using a user idToken.

    When you're using Firebase Authentication, you aren't using those so-called "access tokens". Firebase doesn't have such a concept. You are just using "ID tokens" which are needed so the calls that you perform can be verified on the Firebase backend. For more info, please check the link below"