← knowledge.oriz.in

Firebase App Check

service firebasesecurityprimary

Firebase App Check

Role

Every Firestore rule in the family requires request.app != null — that's App Check. Issues short-lived tokens that prove a request came from a real, attested client.

Free tier

Card / subscription required?

NO for App Check itself. Note: the family's chosen attestation provider is reCAPTCHA Enterprise, which DOES need a GCP billing account — see recaptcha-enterprise.md. If you swap to Turnstile-based attestation the card requirement disappears.

Alternatives

Swap cost

High — every Firestore rule references appChecked(). Removing it means rewriting the rule file and accepting open access.

Why this is our pick

It's the only Firestore-native bot defense. Mandatory by family security rules.

Cross-refs