--- description: Unofficial Capacitor plugin for Firebase App Check SDK to protect your app's resources from abuse with support for Android, iOS, and Web. title: Capacitor Firebase App Check Plugin - Capawesome image: https://capawesome.io/docs/assets/images/social/plugins/firebase/app-check.png --- [ Skip to content](#capacitor-firebaseapp-check) [ πŸŽ‰ Introducing **Capawesome Platform** β€” one platform for Live Updates, Native Builds, App Store Publishing, and Insider SDKs.](https://capawesome.io) * [ iOS ](#ios) * [ Web ](#web) * [ Configuration ](#configuration) * [ Firebase JavaScript SDK ](#firebase-javascript-sdk) * [ Demo ](#demo) * [ Usage ](#usage) * [ API ](#api) * [ Type Aliases ](#type-aliases) * [ Testing ](#testing) * [ Changelog ](#changelog) * [ License ](#license) * [ Authentication ](/docs/plugins/firebase/authentication/) * [ Crashlytics ](/docs/plugins/firebase/crashlytics/) * [ Cloud Firestore ](/docs/plugins/firebase/cloud-firestore/) * [ Cloud Functions ](/docs/plugins/firebase/cloud-functions/) * [ Cloud Messaging ](/docs/plugins/firebase/cloud-messaging/) * [ Cloud Storage ](/docs/plugins/firebase/cloud-storage/) * [ Performance Monitoring ](/docs/plugins/firebase/performance-monitoring/) * [ Remote Config ](/docs/plugins/firebase/remote-config/) * [ Formbricks ](/docs/plugins/formbricks/) * [ Geocoder ](/docs/plugins/geocoder/) * [ Google Sign-In ](/docs/plugins/google-sign-in/) * [ Grafana Faro ](/docs/plugins/grafana-faro/) * [ libSQL ](/docs/plugins/libsql/) * [ Live Update ](/docs/plugins/live-update/) * [ Managed Configurations ](/docs/plugins/managed-configurations/) * [ Media Session ](/docs/plugins/media-session/) * [ ML Kit ](/docs/plugins/mlkit/) * [ Navigation Bar ](/docs/plugins/navigation-bar/) * [ NFC ](/docs/plugins/nfc/) * [ OAuth ](/docs/plugins/oauth/) * [ Pedometer ](/docs/plugins/pedometer/) * [ Photo Editor ](/docs/plugins/photo-editor/) * [ PostHog ](/docs/plugins/posthog/) * [ Printer ](/docs/plugins/printer/) * [ Purchases ](/docs/plugins/purchases/) * [ RealtimeKit ](/docs/plugins/realtimekit/) * [ Screen Orientation ](/docs/plugins/screen-orientation/) * [ Screenshot ](/docs/plugins/screenshot/) * [ Secure Preferences ](/docs/plugins/secure-preferences/) * [ Speech Recognition ](/docs/plugins/speech-recognition/) * [ Speech Synthesis ](/docs/plugins/speech-synthesis/) * [ Share Target ](/docs/plugins/share-target/) * [ Square Mobile Payments ](/docs/plugins/square-mobile-payments/) * [ SQLite ](/docs/plugins/sqlite/) * [ Superwall ](/docs/plugins/superwall/) * [ Torch ](/docs/plugins/torch/) * [ Wifi ](/docs/plugins/wifi/) * [ Zip ](/docs/plugins/zip/) * [ Cloud ](/docs/cloud/) * [ Live Updates ](/docs/cloud/live-updates/) * Advanced * Integrations * [ Native Builds ](/docs/cloud/native-builds/) * [ Configuration ](/docs/cloud/native-builds/configuration/) * [ Environments ](/docs/cloud/native-builds/environments/) * Guides * [ Sample Projects ](/docs/cloud/native-builds/sample-projects/) * [ Troubleshooting ](/docs/cloud/native-builds/troubleshooting/) * [ Automations ](/docs/cloud/automations/) * [ Assist ](/docs/cloud/assist/) * Account * Organizations * [ Organization and User Management ](/docs/cloud/organizations/memberships/) * [ Single Sign-On (SSO) ](/docs/cloud/organizations/sso/) * [ Teams ](/docs/cloud/organizations/teams/) * [ Two-Factor Authentication ](/docs/cloud/organizations/two-factor-authentication/) * [ Integrations ](/docs/cloud/integrations/) * [ License Keys ](/docs/cloud/license-keys/) * [ Webhooks ](/docs/cloud/webhooks/) * [ Pricing ](https://capawesome.io/pricing/) * [ FAQ ](/docs/cloud/faq/) * [ Support ](/docs/cloud/support/) * [ Contributing ](/docs/contributing/) * [ LLMs ](/docs/llms/) * [ Insiders ](/docs/insiders/) * [ License ](https://capawesome.io/legal/eula/) * [ Support ](/docs/insiders/support/) * [ FAQ ](/docs/insiders/faq/) * [ Blog ](/blog/) * Categories * [ iOS ](#ios) * [ Web ](#web) * [ Configuration ](#configuration) * [ Firebase JavaScript SDK ](#firebase-javascript-sdk) * [ Demo ](#demo) * [ Usage ](#usage) * [ API ](#api) * [ Type Aliases ](#type-aliases) * [ Testing ](#testing) * [ Changelog ](#changelog) * [ License ](#license) # @capacitor-firebase/app-check[ΒΆ](#capacitor-firebaseapp-check "Permanent link") Unofficial Capacitor plugin for [Firebase App Check](https://firebase.google.com/docs/app-check).[1](#fn:1) [ ![Deliver Live Updates to your Capacitor app with Capawesome Cloud](../../../assets/external/cloud.capawesome.io/assets/banners/cloud-build-and-deploy-capacitor-apps.69628c3f.png) ](https://cloud.capawesome.io/) ## Newsletter[ΒΆ](#newsletter "Permanent link") Stay up to date with the latest news and updates about the Capawesome, Capacitor, and Ionic ecosystem by subscribing to our [Capawesome Newsletter](https://cloud.capawesome.io/newsletter/). ## Compatibility[ΒΆ](#compatibility "Permanent link") | Plugin Version | Capacitor Version | Status | | -------------- | ----------------- | -------------- | | 8.x.x | \>=8.x.x | Active support | | 7.x.x | 7.x.x | Deprecated | | 6.x.x | 6.x.x | Deprecated | | 5.x.x | 5.x.x | Deprecated | ## Installation[ΒΆ](#installation "Permanent link") You can use our **AI-Assisted Setup** to install the plugin. Add the [Capawesome Skills](https://github.com/capawesome-team/skills) to your AI tool using the following command: `[](#%5F%5Fcodelineno-0-1)npx skills add capawesome-team/skills --skill capacitor-plugins ` Then use the following prompt: `` [](#%5F%5Fcodelineno-1-1)Use the `capacitor-plugins` skill from `capawesome-team/skills` to install the `@capacitor-firebase/app-check` plugin in my project. `` If you prefer **Manual Setup**, install the plugin by running the following commands and follow the platform-specific instructions below: `[](#%5F%5Fcodelineno-2-1)npm install @capacitor-firebase/app-check firebase [](#%5F%5Fcodelineno-2-2)npx cap sync ` Add Firebase to your project if you haven't already ([Android](https://github.com/capawesome-team/capacitor-firebase/blob/main/docs/firebase-setup.md#android) / [iOS](https://github.com/capawesome-team/capacitor-firebase/blob/main/docs/firebase-setup.md#ios) / [Web](https://github.com/capawesome-team/capacitor-firebase/blob/main/docs/firebase-setup.md#web)). ### Android[ΒΆ](#android "Permanent link") See [Set up your Firebase project](https://firebase.google.com/docs/app-check/android/play-integrity-provider#project-setup) and follow the instructions to set up your app correctly. #### Variables[ΒΆ](#variables "Permanent link") If needed, you can define the following project variable in your app’s `variables.gradle` file to change the default version of the dependency: * `$firebaseAppCheckPlayIntegrityVersion` version of `com.google.firebase:firebase-appcheck-playintegrity` (default: `19.0.1`) * `$firebaseAppCheckDebugVersion` version of `com.google.firebase:firebase-appcheck-debug` (default: `19.0.1`) This can be useful if you encounter dependency conflicts with other plugins in your project. ### iOS[ΒΆ](#ios "Permanent link") On **iOS 14 and later**, see [Set up your Firebase project](https://firebase.google.com/docs/app-check/ios/app-attest-provider#project-setup) and follow the instructions to set up your app correctly. On **iOS 13**, see [Set up your Firebase project](https://firebase.google.com/docs/app-check/ios/devicecheck-provider#project-setup) and follow the instructions to set up your app correctly. Make sure that the private key (\*.p8) you upload to Firebase has `DeviceCheck` selected as a service. ### Web[ΒΆ](#web "Permanent link") See [Set up your Firebase project](https://firebase.google.com/docs/app-check/web/recaptcha-provider#project-setup) and follow the instructions to set up your app correctly. ## Configuration[ΒΆ](#configuration "Permanent link") No configuration required for this plugin. ## Firebase JavaScript SDK[ΒΆ](#firebase-javascript-sdk "Permanent link") [Here](https://github.com/capawesome-team/capacitor-firebase/blob/main/packages/app-check/docs/firebase-js-sdk.md) you can find information on how to use the plugin with the Firebase JS SDK. ## Demo[ΒΆ](#demo "Permanent link") A working example can be found here: [robingenz/capacitor-firebase-plugin-demo](https://github.com/robingenz/capacitor-firebase-plugin-demo) ## Usage[ΒΆ](#usage "Permanent link") `[](#%5F%5Fcodelineno-3-1)import { FirebaseAppCheck } from '@capacitor-firebase/app-check'; [](#%5F%5Fcodelineno-3-2)import { ReCaptchaV3Provider } from '@capacitor-firebase/app-check'; [](#%5F%5Fcodelineno-3-3)import { Capacitor } from '@capacitor/core'; [](#%5F%5Fcodelineno-3-4) [](#%5F%5Fcodelineno-3-5)const initialize = async () => { [](#%5F%5Fcodelineno-3-6) await FirebaseAppCheck.initialize({ [](#%5F%5Fcodelineno-3-7) provider: Capacitor.getPlatform() === 'web' ? new ReCaptchaV3Provider('myKey') : undefined, [](#%5F%5Fcodelineno-3-8) }); [](#%5F%5Fcodelineno-3-9)}; [](#%5F%5Fcodelineno-3-10) [](#%5F%5Fcodelineno-3-11)const getToken = async () => { [](#%5F%5Fcodelineno-3-12) const { token } = FirebaseAppCheck.getToken({ [](#%5F%5Fcodelineno-3-13) forceRefresh: false, [](#%5F%5Fcodelineno-3-14) }); [](#%5F%5Fcodelineno-3-15) return token; [](#%5F%5Fcodelineno-3-16)}; [](#%5F%5Fcodelineno-3-17) [](#%5F%5Fcodelineno-3-18)const setTokenAutoRefreshEnabled = async () => { [](#%5F%5Fcodelineno-3-19) await FirebaseAppCheck.setTokenAutoRefreshEnabled({ enabled: true }); [](#%5F%5Fcodelineno-3-20)}; [](#%5F%5Fcodelineno-3-21) [](#%5F%5Fcodelineno-3-22)const addTokenChangedListener = async () => { [](#%5F%5Fcodelineno-3-23) await FirebaseAppCheck.addListener('tokenChanged', event => { [](#%5F%5Fcodelineno-3-24) console.log('tokenChanged', { event }); [](#%5F%5Fcodelineno-3-25) }); [](#%5F%5Fcodelineno-3-26)}; [](#%5F%5Fcodelineno-3-27) [](#%5F%5Fcodelineno-3-28)const removeAllListeners = async () => { [](#%5F%5Fcodelineno-3-29) await FirebaseAppCheck.removeAllListeners(); [](#%5F%5Fcodelineno-3-30)}; ` ## API[ΒΆ](#api "Permanent link") * [getToken(...)](#gettoken) * [initialize(...)](#initialize) * [setTokenAutoRefreshEnabled(...)](#settokenautorefreshenabled) * [addListener('tokenChanged', ...)](#addlistenertokenchanged-) * [removeAllListeners()](#removealllisteners) * [Interfaces](#interfaces) * [Type Aliases](#type-aliases) ### getToken(...)[ΒΆ](#gettoken "Permanent link") `[](#%5F%5Fcodelineno-4-1)getToken(options?: GetTokenOptions | undefined) => Promise ` Get the current App Check token. | Param | Type | | ----------- | ----------------------------------- | | **options** | [GetTokenOptions](#gettokenoptions) | **Returns:** `Promise<[GetTokenResult](#gettokenresult)>` **Since:** 1.3.0 --- ### initialize(...)[ΒΆ](#initialize "Permanent link") `[](#%5F%5Fcodelineno-5-1)initialize(options?: InitializeOptions | undefined) => Promise ` Activate App Check for the given app. Can be called only once per app. | Param | Type | | ----------- | --------------------------------------- | | **options** | [InitializeOptions](#initializeoptions) | **Since:** 1.3.0 --- ### setTokenAutoRefreshEnabled(...)[ΒΆ](#settokenautorefreshenabled "Permanent link") `[](#%5F%5Fcodelineno-6-1)setTokenAutoRefreshEnabled(options: SetTokenAutoRefreshEnabledOptions) => Promise ` Set whether the App Check token should be refreshed automatically or not. | Param | Type | | ----------- | ----------------------------------------------------------------------- | | **options** | [SetTokenAutoRefreshEnabledOptions](#settokenautorefreshenabledoptions) | **Since:** 1.3.0 --- ### addListener('tokenChanged', ...)[ΒΆ](#addlistenertokenchanged "Permanent link") `[](#%5F%5Fcodelineno-7-1)addListener(eventName: 'tokenChanged', listenerFunc: TokenChangedListener) => Promise ` Called when the App Check token changed. | Param | Type | | ---------------- | --------------------------------------------- | | **eventName** | 'tokenChanged' | | **listenerFunc** | [TokenChangedListener](#tokenchangedlistener) | **Returns:** `Promise<[PluginListenerHandle](#pluginlistenerhandle)>` **Since:** 1.3.0 --- ### removeAllListeners()[ΒΆ](#removealllisteners "Permanent link") `[](#%5F%5Fcodelineno-8-1)removeAllListeners() => Promise ` Remove all listeners for this plugin. Only available for Web. **Since:** 1.3.0 --- ### Interfaces[ΒΆ](#interfaces "Permanent link") #### GetTokenResult[ΒΆ](#gettokenresult "Permanent link") | Prop | Type | Description | Since | | -------------------- | ------ | ---------------------------------------------------------------------------------------------------------------- | ----- | | **token** | string | The App Check token in JWT format. | 1.3.0 | | **expireTimeMillis** | number | The timestamp after which the token will expire in milliseconds since epoch. Only available for Android and iOS. | 1.3.0 | #### GetTokenOptions[ΒΆ](#gettokenoptions "Permanent link") | Prop | Type | Description | Default | Since | | ---------------- | ------- | ------------------------------------------------------------------------------------------------------- | ------- | ----- | | **forceRefresh** | boolean | If true, will always try to fetch a fresh token. If false, will use a cached token if found in storage. | false | 1.3.0 | #### InitializeOptions[ΒΆ](#initializeoptions "Permanent link") | Prop | Type | Description | Default | Since | | ----------------------------- | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | ----- | | **debug** | boolean | If true, the debug provider is used. ⚠️ **Attention**: The debug provider allows access to your Firebase resources from unverified devices. Don't use the debug provider in production builds of your app, and don't share your debug builds with untrusted parties. ⚠️ **Deprecated**: Use debugToken instead. This option will be removed in the next major version. Read more: https://firebase.google.com/docs/app-check/web/debug-provider | false | 1.3.0 | | **debugToken** | string \| boolean | If true, the debug provider is used. On **Web**, you can also set a predefined debug token string instead of true. On Android and iOS, you have to use environment variables for this. ⚠️ **Attention**: The debug provider allows access to your Firebase resources from unverified devices. Don't use the debug provider in production builds of your app, and don't share your debug builds with untrusted parties. | false | 7.1.0 | | **isTokenAutoRefreshEnabled** | boolean | If true, the SDK automatically refreshes App Check tokens as needed. | false | 1.3.0 | | **provider** | any | The provider to use for App Check. Must be an instance of ReCaptchaV3Provider, ReCaptchaEnterpriseProvider, or CustomProvider. Only available for Web. | ReCaptchaV3Provider | 7.1.0 | | **siteKey** | string | The reCAPTCHA v3 site key (public key). This option is ignored when provider is set. Only available for Web. | 1.3.0 | | #### SetTokenAutoRefreshEnabledOptions[ΒΆ](#settokenautorefreshenabledoptions "Permanent link") | Prop | Type | Description | Since | | ----------- | ------- | ------------------------------------------------------------------------------------------------------------------------------ | ----- | | **enabled** | boolean | If true, the SDK automatically refreshes App Check tokens as needed. This overrides any value set during initializeAppCheck(). | 1.3.0 | #### PluginListenerHandle[ΒΆ](#pluginlistenerhandle "Permanent link") | Prop | Type | | ---------- | ------------------- | | **remove** | () => Promise | #### TokenChangedEvent[ΒΆ](#tokenchangedevent "Permanent link") | Prop | Type | Description | Since | | --------- | ------ | ---------------------------------- | ----- | | **token** | string | The App Check token in JWT format. | 1.3.0 | ### Type Aliases[ΒΆ](#type-aliases "Permanent link") #### TokenChangedListener[ΒΆ](#tokenchangedlistener "Permanent link") Callback to receive the token change event. `(event: [TokenChangedEvent](#tokenchangedevent)): void` ## Testing[ΒΆ](#testing "Permanent link") ### Android[ΒΆ](#android%5F1 "Permanent link") Follow these steps to test your implementation on a real device: 1. Start your app on the Android device. 2. Run the following command to grab your temporary secret from the android logs: `[](#%5F%5Fcodelineno-9-1)adb logcat | grep DebugAppCheckProvider ` The output should look like this: `[](#%5F%5Fcodelineno-10-1)D DebugAppCheckProvider: Enter this debug secret into the allow list in [](#%5F%5Fcodelineno-10-2)the Firebase Console for your project: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX ` 1. Next, open the [App Check project](https://console.firebase.google.com/u/0/project/%5F/appcheck/apps) in the Firebase Console and select Manage debug tokens from the overflow menu of your app. Then, register the debug secret from the output. ## Changelog[ΒΆ](#changelog "Permanent link") See [CHANGELOG.md](https://github.com/capawesome-team/capacitor-firebase/blob/main/packages/app-check/CHANGELOG.md). ## License[ΒΆ](#license "Permanent link") See [LICENSE](https://github.com/capawesome-team/capacitor-firebase/blob/main/packages/app-check/LICENSE). --- 1. This project is not affiliated with, endorsed by, sponsored by, or approved by Google LLC or any of their affiliates or subsidiaries. [↩](#fnref:1 "Jump back to footnote 1 in the text") May 21, 2026 Back to top