firebase-app-check
$
npx mdskill add evanca/flutter-ai-rules/firebase-app-checkSecure Flutter apps by configuring Firebase App Check providers.
- Enforces token validation across web, Android, and iOS platforms.
- Integrates with Firebase Console for key management and project settings.
- Activates enforcement modes and monitors security metrics automatically.
- Delivers secure app initialization through Dart code execution.
SKILL.md
.github/skills/firebase-app-checkView on GitHub ↗
---
name: firebase-app-check
description: Integrates Firebase App Check into Flutter apps. Use when setting up App Check, selecting providers per platform, using debug providers during development, enabling enforcement, or applying App Check security best practices.
---
# Firebase App Check Skill
This skill defines how to correctly use Firebase App Check in Flutter applications.
## When to Use
Use this skill when:
* Setting up and activating Firebase App Check in a Flutter project.
* Selecting the right provider for each platform.
* Configuring debug providers for development and testing.
* Enabling enforcement and monitoring App Check metrics.
* Applying App Check security best practices.
---
## 1. Setup and Configuration
```
flutter pub add firebase_app_check
```
```dart
import 'package:firebase_app_check/firebase_app_check.dart';
```
Initialize App Check **after** `Firebase.initializeApp()` and **before** using any Firebase services:
```dart
await Firebase.initializeApp();
await FirebaseAppCheck.instance.activate(
webProvider: ReCaptchaV3Provider('recaptcha-v3-site-key'),
providerAndroid: AndroidPlayIntegrityProvider(),
providerApple: AppleDeviceCheckProvider(),
);
```
- Register your apps in the Firebase console under **Project Settings > App Check** before using the service.
- For web, obtain a reCAPTCHA v3 site key from the Firebase console.
- Consider setting a custom **TTL** for App Check tokens based on your security and performance needs — shorter TTLs are more secure but consume quota faster.
---
## 2. Provider Selection
**Android:**
| Provider | Use case |
|---|---|
| `AndroidPlayIntegrityProvider` | Production (default) |
| `AndroidDebugProvider` | Development / CI only |
**Apple (iOS / macOS):**
| Provider | Use case |
|---|---|
| `AppleDeviceCheckProvider` | Production default (iOS 11+, macOS 10.15+) |
| `AppleAppAttestProvider` | Enhanced security (iOS 14+, macOS 14+) |
| `AppleAppAttestProviderWithDeviceCheckFallback` | App Attest with Device Check fallback |
| `AppleDebugProvider` | Development / CI only |
**Web:**
| Provider | Use case |
|---|---|
| `ReCaptchaV3Provider` | Standard reCAPTCHA v3 |
| `ReCaptchaEnterpriseProvider` | Enhanced with additional features |
> **Android note:** For certain Android devices, enable "Meets basic device integrity" in the Google Play console to ensure proper App Check functionality.
---
## 3. Development and Testing
Use debug providers during development to run in emulators or CI environments:
```dart
await FirebaseAppCheck.instance.activate(
providerAndroid: AndroidDebugProvider('YOUR_DEBUG_TOKEN'),
providerApple: AppleDebugProvider('YOUR_DEBUG_TOKEN'),
);
```
- **iOS:** Enable debug logging by adding `-FIRDebugEnabled` to Arguments Passed on Launch in Xcode.
- **Web:** Set `self.FIREBASE_APPCHECK_DEBUG_TOKEN = true;` in `web/index.html`.
- Register debug tokens shown in the console in the Firebase console's App Check section.
- **Never** use debug providers or share debug tokens in production builds.
- Keep debug tokens private — do not commit them to public repositories.
- Revoke compromised debug tokens immediately from the Firebase console.
---
## 4. Enforcement and Monitoring
- **Monitor** App Check metrics before enabling enforcement to avoid disrupting legitimate users.
- Enable enforcement **gradually**, starting with non-critical Firebase services.
- Monitor request metrics for Realtime Database, Cloud Firestore, Cloud Storage, and Authentication.
- Once enforcement is enabled, only registered apps with valid App Check tokens can access Firebase resources.
- Use App Check **in combination with** Firebase Security Rules for comprehensive security.
- Implement proper error handling for App Check verification failures.
---
## 5. Security Best Practices
- Never disable App Check in production builds once enabled.
- Implement a fallback mechanism for App Check verification failures.
- Regularly review App Check metrics to identify potential abuse patterns.
- App Check tokens are **automatically refreshed** at approximately half the TTL duration.
- For high-security applications, use the shortest practical TTL.
- Implement server-side verification for critical operations using the Firebase Admin SDK.
---
## References
- [Firebase App Check Flutter documentation](https://firebase.google.com/docs/app-check/flutter/default-providers)
- [Firebase App Check debug provider](https://firebase.google.com/docs/app-check/flutter/debug-provider)
More from evanca/flutter-ai-rules
- architecture-feature-firstStructures Flutter apps using layered architecture (UI / Logic / Data) with feature-first file organization. Use when creating new features, designing the project structure, adding repositories/services/view models (or cubits/providers/notifiers), or wiring dependency injection. State management agnostic.
- blocImplements Flutter state management using the bloc library (Bloc and Cubit). Use when creating new features, screens, or state management logic with bloc/cubit, modeling state, wiring Flutter widgets to blocs, or writing bloc/cubit unit tests.
- dart-3-updatesApplies Dart 3 language features in Flutter/Dart code. Use when writing if-else or switch statements, creating new classes, or deciding between a data class and a record.
- effective-dartApplies Effective Dart guidelines in Flutter/Dart code. Use when writing or reviewing Dart code for naming conventions, types, style, imports, file structure, usage patterns, documentation, testing, widgets, state management, or performance.
- firebase-aiIntegrates Firebase AI Logic into Flutter apps. Use when setting up the firebase_ai plugin, calling Gemini models, handling AI service errors, or applying security and privacy considerations for AI features.
- firebase-analyticsIntegrates Firebase Analytics into Flutter apps. Use when setting up analytics, logging events, setting user properties, or configuring event parameters.
- firebase-authIntegrates Firebase Authentication into Flutter apps. Use when setting up auth, managing auth state, implementing email/password or social sign-in, handling auth errors, managing users, or applying security best practices.
- firebase-cloud-firestoreIntegrates Cloud Firestore into Flutter apps. Use when setting up Firestore, designing document/collection structure, reading and writing data, working with real-time listeners, designing for scale, or applying security rules.
- firebase-cloud-functionsCalls Firebase Cloud Functions from Flutter apps. Use when setting up callable functions, passing data to functions, handling errors from function calls, optimizing performance, or testing with the Firebase Emulator Suite.
- firebase-crashlyticsIntegrates Firebase Crashlytics into Flutter apps. Use when setting up crash reporting, handling fatal and non-fatal errors, customizing crash reports with keys/logs/user identifiers, or configuring opt-in reporting.