← knowledge.oriz.in

App Check

glossary glossaryfirebasesecurity

App Check

Definition

Firebase App Check is the bot-defence layer that issues an attestation token to verified client apps and lets Firestore security rules require request.app != null on every read and write — gating the database to legitimate clients only.

Expanded

The family enforces App Check on every Firestore call, with reCAPTCHA Enterprise as the underlying provider (10K assessments/month free; 7-day token TTL minimises consumption). Default-deny on match /{document=**}; the only allow rules also assert appChecked().

App Check is free; it is the cheapest way to defend the Spark plan from automated abuse that would otherwise burn the 50K/day read quota. Combined with Cloudflare WAF in front of *.oriz.in, it gives a two-layer rate-limit and bot-fight defense.

See also