INVALID_APP_CREDENTIAL error for some users on both iOS and Android

We use identity platform on a nodejs backend to authenticate users using the phone auth method (SMS).

To do so, my Android and iOS native apps get a recaptcha v2 token, and then call our backend with that recaptcha token.

Our backend then calls https://identitytoolkit.googleapis.com/v1/accounts:sendVerificationCode.

We use the following code to authenticate requests (via ADC since the backend is deployed on Cloud Run):

import { GoogleAuth } from "google-auth-library";

const body = {
  phoneNumber: phoneNumber.toString(),
  recaptchaToken: deviceCheck.recaptchaToken,
  autoRetrievalInfo:
    platform === "android"
      ? {
          appSignatureHash: androidAppSignatureHash,
        }
      : undefined,
  quotaUser: quotaPeer.toString(),
};

const result = await fetch(
  "https://identitytoolkit.googleapis.com/v1/accounts:sendVerificationCode",
  {
    method: "POST",
    headers: {
      ...(await auth.getRequestHeaders()),
      ...(platform === "ios"
        ? { "x-ios-bundle-identifier": iosAppBundleIdentifier }
        : {}),
    },
    body: JSON.stringify(body),
  },
);

But sometimes only, for some requests, I get the following error:

{"error":{"code":400,"message":"INVALID_APP_CREDENTIAL","errors":[{"message":"INVALID_APP_CREDENTIAL","domain":"global","reason":"invalid"}]}}

We've looked everywhere, and we can't seem to find a single clue about what this error means.

Is this:

a problem with the GoogleOAuth token that maybe expired? We don't see how that would be possible.
a problem with the recaptcha token? But we've tried to log the token and it seems valid. We've tried to send an expired token and the error is different.

I've looked into firebase SDKs implementations and they don't seem to be doing anything differently really.

This is really critical for us as a lot of our users don't seem to be able to login because of that issue.

Solution

I got the following answer from the Google Cloud Support :

After reviewing the logs, I noticed that the reCAPTCHA score for some of the affected requests was low (< 0.3), which likely contributed to the errors you were seeing. This could have impacted the verification process, as reCAPTCHA assessments play a crucial role in validating requests for services like SMS verification.

It appears that the issue has resolved itself now, as the error frequency has decreased and no new failures have been reported. This could be due to the time it takes for reCAPTCHA to correctly assess and validate requests, or it could also be a result of any recent annotations to your reCAPTCHA assessments.

As per the reCAPTCHA documentation, annotating reCAPTCHA assessments can help improve the accuracy of scores and lead to better validation in the future. If this was a new deployment, it might have taken some time for reCAPTCHA to fully adjust to the request patterns and provide more accurate assessments. If you haven't done so already, we recommend looking into annotating the assessments for better long-term results.

Since there's no way to prevent this, and since other device check methods (silent notifications in iOS, play integrity in Android) were a pain to try to implement (couldn't make the silent notifications work, and play integrity tokens were refused), we've decided to move away from Identity Platform for sending SMS.